Last week’s story about the merging of the Citadel trojan with the Reveton ransomware grabbed my attention. This use of multiple attack vectors by cybercriminals is almost certainly the result of successes by law enforcement in the ongoing battle against online crime.
The takedowns of botnet servers and Web domain names this year by Microsoft and several law enforcement agencies around the world has undoubtedly affected the income streams of cybercriminal gangs, with predictable results.
The attack code seen in this latest malware attempts to find common credentials to superuser accounts – where the same privileged password is used on every machine. It remains persistent over time and overrides normal automatic password change protocols. The net effect of this attack methodology is that the compromise of just one system can lead to a general compromise of most – or all – critical systems silently.
The best defense against such an attack is a properly implemented privileged identity management solution that can randomize the passwords on a continuous basis, and provide time-limited access to sensitive credentials. Using a workflow approvals mechanism prior to granting access to sensitive systems further reduces the value of these malware solutions to cybercriminals.
Since few companies use privileged identity management technology, many organizations may suffer from this new generation of malware, with little being achieved through traditional security measures – such as educating users or utilizing anti-virus and anti-malware products.
Once the new malware slips in, it is effectively curtains for corporate security. Even though ransomware itself has been around since the late 1980s, the technique is still pretty much the same today, involving the locking up and/or denying access to computer files until a “ransom” payment is made.
Adding the Citadel trojan to the mix is a value-add for the cybercriminals as the malware attempts to steal user credentials – regardless of whether the victim puts up the illegal ransom payment. And if those credentials include an admin account, then the company is in potentially very serous trouble.
This is where privileged identity management comes into its own because, even if a user account were to be compromised, the degree of remote access by cybercriminals can be severely limited.
The bottom line is that organizations need to start raising their security game through the use of additional layers of technology.