Commodity adware puts smaller, medium-sized businesses on an attacker's hit list

Beware small and medium-sized businesses: attackers will target your organization, especially if you’re infected with commodity malware that they can leverage to gain access to your company.

“Certain companies are under the assumption that [because] they’re not well known [this] will keep them off the targeted actor’s hit list,” said Cybereason CISO Israel Barak. “But it’s enough to be infected with a commodity adware took to put you on the market. And once you’re on the market, you’re going to get targeted fast.”

Barak raised this point during a webinar that looked at how threat actors are using commodity malware to infect endpoints, determine what organizations operate those computers and servers and then list those machines on the black market, selling them to threat actors who carry out criminal activities.

“A compromised machine that has adware can turn into a targeted threat within days or hours and machines can be sold within 24 to 48 hours,” he said.

Whether the attack is targeted or untargeted may not matter

After an incident is detected, determining whether the threat is targeted or untargeted may prove irrelevant since attackers can turn untargeted threats, like commodity adware, into targeted threats, Barak said. Once hackers determine that their commodity programs has landed in a high-value target, they’ll sell access to this machine on black market on sites like xDedic, he added.

Buyers have an extensive amount of inventory to sort through on xDedic. During a recent visit to the site, Barak found 30,000 compromised machines for sale, including a computer used by a large U.S. university, a server from a company that’s a Microsoft subsidiary and a server used by a credit card processing company.

For example, for $30 attackers could purchase access to a computer with a public IP address and running point-of-sale software on the network of the University of Washington.

“If you’re an attacker who wants credit card details that are processed by the POS program or research done at a university, this machine would interest you,” Barak said.

Why phish when you can buy access to a compromised computer or server?

A server belonging to the credit card processing company EC Suite was also for sale. The server, located in the company’s Phoenix, Arizona, data center, was selling for $14. Even though EC suite is small player in the credit card space compared to major companies like Visa, “compromising 1 million credit cards isn’t bad, especially if the price is only $14 and there is less work since someone already opened the door,” Barak said.

Another compromised server belonging to Informatica, a Microsoft subsidiary that develops data analysis software. For $14, criminals could purchase access to the server, allowing them to steal the company’s intellectual property or compromise Informatica’s products and propagate malware through them, Barak said.

Barak also found machines belonging to large companies during his search of xDedic. For example, he discovered a server that was used by Intel. Located in the company’s Hillsboro, Oregon, data center, the server would appeal to threat actors interested in compromising Intel’s products or pilfering its intellectual property. Directly accessing a target’s data center is a much easier way to carry out infiltration compared to using traditional attack vectors, he said.

“Why try to go in through a phished user, requiring lateral movement through the user network, risking detection, if you can just buy a direct connection to the data center?” Barak asked.

Monitor commodity malware programs for odd behavior

With commodity threats having the potential to execute much more sinister activities, organizations may need to reconsider how they handle these programs. Security professionals can’t disregard seemingly benign, unwanted programs that have infected their company’s IT environment even though they’re considered less of a threat compared to other security issues.

However, given the prevalence of adware, click-fraud malware and other commodity threats, organizations lack the staff, resources and time to investigate and remediate every infected machine. They need a practical way to handle this emerging threat, Barak wrote in a research report.  

Instead of removing all commodity programs, companies should diligently monitor them for behavioral changes and investigate those that act strangely. Odd behavior, no matter how small, should not be disregarded. When changes to adware, malware and command-and-control traffic on infected systems are spotted, security teams should prioritize them to undergo further investigation and, when appropriate, remediation.

To learn more about the evolution of commodity malware, check out Barak’s research report.  

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.