Staying Ahead of Malware With Managed Detection and Response

Malware attacks, including ransomware, cost European Union Members billions each year. Ransomware attacks originated by malware lead to data breaches, remote takeover of critical systems, and financial fraud.  

In 2024, the cost of cyberattacks through malware and other attack tools continue to impact German companies.  

A recent survey reported on Reuters’ that cybercrime and other sabotage have cost German companies approximately 267 billion euros ($298 billion) in the past year, reflecting a 29% increase compared to the previous year. 

Staying ahead of malware generated by adversarial artificial intelligence (AI) and machine learning (ML) tools compounded an already complex problem. Organizations struggling with malware affecting their users even with endpoint security and incident responses should invest in a managed detection and response (MDR) service from EU firm ForeNova.  

Malware Isn't Going Anywhere  

Why will malware attacks never stop? Malware is easy to launch, profitable, and easy to alter. Malware, including viruses and ransomware sent through email phishing attacks, continues to be the most challenging attack vectors for organizations.  

• "35% of ransomware attacks come through email." 

• “91% of all cyber attacks begin with email phishing and malware.”  

Access to adversarial malware is quite easy. Hackers and wannabees can access a library of malware files through the dark web. Underground hackers and scammers create malware files and post them on the dark web for anyone to access. For a fee typically paid in Bitcoin or other cyber-currency, anyone can download a malware file and attach it to an email or upload it to a web page as a malicious link.  

It is nearly impossible to prevent people from gaining access to next-generation malware. The only way to stop malware attacks is to prevent them from spreading across an organization. 

What are the Top Five Malware Attacks in 2024?  

Organizations wanting to prevent the propagation of malware need to pay close attention to malicious behaviors occurring within their network. Most malware attacks either become executed immediately or remain dormant for several months before being activated. 

1. SocGholish
   

   SocGholish is a specifically challenging malware to prevent. It creates the file in JavaScript and frequently disguises itself as a software update, browser update, or flash update. Once SocGholish is embedded within the device, the malware will copy files and leverage remote access tools and ransomware to scale its attack further.  

2. ArechClient2

   This specific malware profiles their victims' devices, steal valuable information, copies settings within the browser, and access the user's crypto wallet while remaining hidden.  

3. CoinMiner

   This malware uses Windows Management Instrumentation (WMI) to propagate across the adjacent networks, targeting crypto wallets and ledgers. Other malware variances install this malware as a secondary attack vector like ransomware.  

4. Agent Tesla
   

   The agent is a remote access tool or RAT. Available for purchase on the dark web or from malware-as-a-service providers, this tool captures keystrokes, takes rogue screenshots, and steals login credentials. The tool also executes data exfiltration attacks and loads additional malware to advance their attack vector.  

5. Lumma Stealer

   Lumma Stealer is a common malware sold on the dark web designed to steal personally identifiable information (PII), credentials, cookies, and banking information. Capable of bypassing cyber defensive tools, including email security, IPS, and next-generation firewalls, Lumma Stealer also effectively infiltrates virtualized environments and encrypts their victims' files during the attack.  

What is a Malware-as-a-Service Attack?  

"ENISA says that 29% of malware targets the public, 25% hits digital infrastructure, 11% affects public administration, and 9% impacts multiple sectors simultaneously." 

Organizations also face an increase in Malware-as-a-service or MaaS. Hacker groups leverage MaaS to help launch attacks against their victims. MaaS providers reside within the dark web. Hacker groups that gain access to these services can quickly mobilize against malware attacks and make rapid adjustments to their attack vector.  

How Should Organizations Prepare for a Malware Attack? 

Preventing malware begins with an understanding that no malware attack is 100% preventable. Malware files, including viruses, spam, and Trojan horses, continue to be part of over a billion malicious messages hackers send daily across the globe. Microsoft 365, Google Workstation, and email service providers successfully block a portion of these rogue messages.  

These malicious messages will eventually find their way into people's email boxes.  

Knowing that a large percentage of these malicious emails containing malware will bypass most cybersecurity systems, organizations need to integrate several layers of next-generation anti-malware controls, including security awareness and attack simulations, into their malware defensive strategy.  

Looking Ahead to a Defense in Depth Strategy  

Stopping malware requires several layers of cybersecurity prevention solutions, not just one. Malware attacks occur across several channels, not just email or SMS. Social engineering is another attack vector hackers use to lure victims through social channels, including Facebook and LinkedIn. These lures include clicking on malicious links, accessing their credentials, or requesting an introduction to a CEO or high-level executive.  

Organizations following the NIST - 800 - 53 architecture for Defense-in-Depth have access to a proven architecture to help stop attacks across several channels, including websites, host-based applications, endpoint devices, and attacks against user passwords.  

Defense-in-depth promotes the integration of security components, including firewalls, IPS, encryption, multi-factor authentication, email security, and endpoint security, working together with minimal duplication. NIST produces an update every few years to reflect needed architectural changes. Recent changes include the adoption of artificial intelligence (AI) and machine learning (ML), the use of managed detection and response (MDR), and the need for better continuous monitoring.  

Enabling Advanced Email Security Powered by AI 

Organizations leveraging Microsoft 365 or Google Workstation for email services can access anti-malware tools within these offerings. However, even with these advanced tools, organizations need to layer in additional email security from providers, including Trustifi, Abnormal Security, and Mimecast, to help reduce the amount of malware exploiting their user communication. These providers have successfully implemented AI within the email security defensive layers. 

Security Awareness Training and Attack Simulation 

Organizations wanting to stop the propagation of malware attacks also need to consider end-user education to reduce the risk. Users becoming more educated on how to identify malware embedded within emails, SMS messages, and social engineering attacks can help stop the spread of malware.  

The first step is for users to learn to look at email headers, detect a rogue email attachment, or decide not to click on malicious links. Security awareness training also helps users learn what to do when they receive a suspicious email or file from an unknown source. SecOps sponsoring this training helps users better understand the tools available and how important it is for the organization to reduce these attacks.  

Another critical tool organizations leverage is an attack simulation. Using attack simulation, SecOps teams send suspicious emails with malware files to the user community. The goal is to use this tool to measure how many users either replied to the phishing email, clicked and downloaded the malware file, or clicked on the attachment. Based on the results of the attack simulation, SecOps will determine which users need additional training and reward those who successfully block the various malware attacks.  

Endpoint Security Still Valuable for Malware Protection

Endpoint adaptive control is one of the most essential cybersecurity prevention tools organizations need to invest in. Most vulnerability hackers continuously focus their attack vectors on endpoint devices, which represent the most significant attack surface within any organization. Mobile devices, tablets, PCs, MACs, and smart devices have become frequent targets of hackers.  

By exploiting a single endpoint device, hackers can propagate laterally through their victim's network. Endpoint devices contain operating systems, locally installed applications, and various browsers to access SaaS-based applications. If not correctly updated with the latest security patches, any of these components become exploitable by the hackers. 

Endpoint security solutions provide proactive protection, especially if these devices fail to keep up with their various patches and updates. They provide several layers of prevention, including anti-malware, anti-spam, and anti-virus, and can stop rogue data exfiltration attempts.  

How Important Does Managed Detection and Response Become Regarding a Counter Malware Strategy? 

Developing a counter-malware attack strategy required an organization to invest in the proper tools and retain experienced SecOps engineers to handle the deployment, upkeep, and incident response functions. Organizations committed to a defense-in-depth strategy like NIST 800 recognize the need to either hire experienced SecOps engineers or consider partnering with MDR providers like ForeNova.  

ForeNova's extensive experience in malware detection, prevention, and remediation helps organizations reduce their risk to compliance status by offering various cost-effective services.  

Organizations recognize the need for those tools and continuously look towards managed detection and response (MDR) providers like ForeNova to help. ForeNova, an EU-based MDR provider, offers several layers of counter-malware prevention, including monitoring, detection, and responding to malware attacks through their advanced automated incident response services, managed Security Information Event Management (SIEM), and endpoint security solutions.  

ForeNova's 24x7 service helps organizations with the much coverage model meet EU privacy regulations, including DORA, NIS2, and GPDR. This service continues to become a requirement for organizations seeking coverage through cyber insurance.