2021 was another tough year for people on the front lines of cybersecurity. As cyberattacks grew in both number and complexity, organizations were put on the defensive trying to protect their networks, their data and their endpoints from compromise. Governments around the world increasingly stepped up to help not just the public sector but the private sector. A new government advisory looks at the top malware strains of 2021 and offers advice on how to thwart them.
Examining the most common malware types and strains
Released on Thursday, the joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). As noted in the advisory, malware is often employed by cybercriminals to compromise vulnerable computers and mobile devices. The goal is to gain access to the compromised systems to steal sensitive information or deliver ransomware.
Examples of malware include viruses, worms, Trojans, ransomware, spyware and rootkits. For 2021, the top types of malware identified by CISA and the ACSC were Remote Access Trojans (RATs), banking Trojans, information stealers and ransomware. Most of these have been around for more than five years, giving them ample time to evolve into different variations.
SEE: Mobile device security policy (TechRepublic Premium)
More specifically, the top malware strains singled out in the advisory were Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader. All of these have been around for at least five years, while Qakbot and Ursnif have been on the prowl for more than a decade.
Employed by Eurasian cybercriminals who operate with the tacit permission of Russia, Qakbot and TrickBot are used to create botnets to launch or facilitate ransomware attacks. TrickBot malware often provides the initial access for Conti ransomware, used in almost 450 global ransomware attacks during the first half of 2021, according to the advisory.
Among the other malware strains, Formbook, Agent Tesla and Remcos were used in 2021 for widespread phishing campaigns. The phishing emails and associated websites exploited fears and concerns around the COVID-19 pandemic to steal personal data and sensitive credentials from businesses and individuals.
“Most of the malware strains utilize phishing emails and malicious attachments, which in itself is not that surprising, especially when traditional security detections and filtering have historically struggled to determine the malicious from the non-malicious,” said Paul Laudanski, head of threat intelligence at email security provider Tessian. “Today’s threat actors take advantage of unique phishing URLs, and the one-time use ones make it especially difficult to verify the target location by security agencies.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How security pros can protect their organizations from malware threats
To protect your organization from the latest malware strains, the advisory offers the following tips:
Keep all your software updated
Be sure to update your operating systems, applications, and firmware. But prioritize the patching of known exploited vulnerabilities as well as critical security flaws that enable remote code execution or denial of service attacks on internet-facing systems. To help with this process, consider using a patch management system. Also, sign up for CISA’s free cyber hygiene services, which offer vulnerability scanning.
Enforce multi-factor authentication
Use MFA wherever and whenever possible. Further, require strong passwords for all accounts, including service accounts. Don’t allow passwords to be used or reused across different systems or stored on a system potentially accessible to an attacker.
Secure and monitor any instances of RDP (Remote Desktop Protocol)
Vulnerable to security flaws, RDP is one of the top vectors for malware and ransomware as it can give an attacker unauthorized access to a remote session. If you absolutely need RDP, restrict its sources and mandate MFA to protect account credentials from being compromised. If RDP is required externally, be sure to use a VPN or other method to authenticate and secure the connection. Also monitor all remote access and RDP login attempts, lock out accounts after a certain number of attempts, and disable any unused RDP ports.
Keep offline backups of critical data
Backups should be run on a regular basis, at least every 90 days. Be sure to test your backup processes and make sure that the backups are isolated from network connections. Make sure that the backups themselves are encrypted and that backup keys are stored offline as well.
Offer security training to your users
The right security awareness training can teach employees how to spot and avoid malicious social engineering and phishing campaigns. Ensure that employees know what to do and whom to contact if they receive a suspicious phishing email or other threat.