Alongside traditional approaches such as software vulnerabilities and application misconfigurations, hackers are constantly looking for new ways to break into corporate devices and networks. Two of the biggest growing threats are search engine optimization (SEO) poisoning and malicious advertising.
SEO poisoning is where hackers lure victims to legitimate websites by flooding them with content about topics of interest to potential victims. For example, Gootloader, an initial access-as-a-service operation, targets legal professionals because they handle sensitive business data that can be extremely valuable. Hackers use Gootloader to gain a foothold in an organization’s IT environment and then spread laterally across the organization’s IT network to plant ransomware or exfiltrate data.
By using search engine optimization (SEO) poisoning to lure unsuspecting victims to a wide variety of compromised WordPress blogs, Gootloader tailors its victim pool to a subset of organizations that are most likely to to pay a good ransom. Gootloader infects legal employees and other professionals by luring them to blogs, which are full of content related to “legal agreements” and “contracts”. When the employee visits the blog and downloads what appears to be a “legal agreement” or “contract” sample, they are actually downloading Gootloader.
Malvertising is digital advertising designed to appear legitimate, but is actually malicious. These fake ads promote popular technology packages like Zoom, TeamViewer or AnyDesk, or popular technology like ChatGPT. Searches for these software products lead to malicious Google ad placements placed alongside legitimate results. If users click the wrong link, they are taken to what appears to be a legitimate landing page for the software. By downloading an attempt to install the supposed software, users are downloading and running malware, often Batloader, Nitrogen or infostealers.
According to The Media Trust, over three billion malicious ads were blocked in the last year. One of the most common cybercrime operations using malicious advertising is BatLoader. BatLoader, like Gootloader, is an initial access operation as a service. BatLoader is a malware account and is known to infect victims with malware or malicious tools such as ISFB, SystemBC Remote Access Trojan (RAT), Redline Stealer, and Vidar Stealer. Once BatLoader operators have successfully gained a foothold in a victim’s computer network, they turn around and sell that access to other threat actors.
How to protect your organization from SEO poisoning and malvertising attacks
Organizations must ensure that there is an enterprise-wide focus on continuous security training. Many security teams will invest resources in staff training, but these sessions will take place once a year, while a third of companies offer no security training at all (according to Hornet Security). Also, most security awareness training (SAT) focuses on identifying malicious email attachments, not browser-based attacks. Helping staff recognize malicious advertising and hijacked websites can help prevent these types of cyberattacks from occurring.
To achieve this, include relevant examples within your SAT program so that staff are aware of potential risks when browsing or searching for files. It’s also important to teach employees to inspect the full URL before downloading files. If the site doesn’t match the source (for example, Microsoft Teams should come from a Microsoft domain), users should stop and evaluate. Similarly, users should always inspect file extensions rather than relying on the file type logo.
From a security perspective, industry best practices such as running Endpoint Detection and Response (EDR) will help if someone downloads a suspicious file or accidentally visits a hacked site. By detecting and containing threats before they spread laterally, you can help ensure that a breach has minimal impact. In addition, using Windows attack surface mitigation rules to block JavaScript and VBScript from launching downloaded content can also help prevent attacks from succeeding.
You should also ensure that you have a robust process in place for reporting potential security incidents. Employees need to feel confident in reporting these issues without fear of immediate repercussions for mistakes. If they trust that they will be taken seriously and not punished for their mistakes, they are more likely to flag problems before they become violations.
Alongside these approaches, look at the reasons why staff look for free sample software applications in the first place. Do they have all the tools they need to work or are they missing software? Do they know who to ask for a new service or app and how to install it? Making it easy for your users to get the software they need, with an internal portal or a self-service approach, can help curb the practice of searching for open source applications that can be addressed.
Educating staff about the signs to look out for will reduce risk, while supporting this training with 24/7 real-time threat detection and response will certainly help stop potential breaches
Image credit: Andrew/depositphotos.com
Keegan Keplinger is a senior threat researcher and distinguished security professional, eFeel.
[ad_2]
Source link
