Why complex malware threats require a multi-level approach

While ransomware gets more attention, healthcare organizations face a variety of outside threats and a range of defenses is essential to stopping them.


Malware can be challenging to remediate because it comes in an endless number of varieties and a wide range of threats, from low-end scareware and medium-level ransomware, to high-level advanced volatile threats (AVTs) and advanced persistent threats (APTs).

Ransomware is a type of infection that often starts with a single user and then expands to any drive the user can access. Once a system is infected, ransomware can overwrite important files; it is of greater concern if the user has access to a company-shared drive.

For retail organizations, point-of-sale malware has also become common in recent years. We have seen breaches at major retailers and we’ll likely continue to see breaches in the future. This sort of malware scrapes the memory of the point-of-sale systems looking for data that matches the pattern of credit card numbers. The credit card data is then extracted from these systems and sold or utilized in fraud.

Sophisticated APT attacks are conducted by stealthy, well-resourced, well-researched, dogged adversaries who are intent on gaining a foothold in an organization’s IT infrastructure.

Then there are AVTs, which are malware that are not written to disk. Sophisticated attackers exploit a process or service, carry out their malicious actions in the memory space of the exploited process and then delete themselves, leaving no forensic evidence on the hard disk.

AVTs do not have to reach the victim’s hard drive to deliver their payload. Traditional antivirus solutions depend on the presence of a file on the hard drive, so no evidence of malware on the hard drive makes AVT attacks more potent than the related APTs.

Malware is a business, though, and most malware authors would rather stay on your computer for an extended period of time. This means that malicious programs generally save a copy of themselves to disk so that when the computer is rebooted, it can start running again. There is an interesting category of AVT malware called memory-only malware. This malware resides solely in memory, thereby evading detection by traditional anti-virus software solutions, which scans files on disk.

Creative methods have been found to achieve persistence (restarting after reboot) in memory-only malware. The most well-known in the memory-only malware family was Poweliks. This malware stored itself in the Windows registry and had some code to reload and execute that registry entry for each reboot. Other pieces of malware, such as the Linux/Cdorked, featured a modified Apache binary but stored most of its code in shared memory. Since most of its logic was stored solely in memory, it was a challenge to analyze.

An in-depth security policy is the best defense against malware threats, which should include network and end-point protection, proper access controls and network segmentation. With all of that in place, user education should not be overlooked. Users who are made aware of potential threats become end-point watchdogs and can save organizations a lot of money. This could cover browsing habits and being wary of advertisements, all the way to suspicion of emails and phone calls.

We have seen phishing and social engineering attacks that impersonate executives and trick employees into revealing banking details or transferring money to a fraudster. A well-educated user is going to think twice before clicking a link in their email or giving away information on a phone call.

Organizations are plugging more devices in and hooking them up to the Internet. From security systems to ovens, everything is “smart” and connected now. This interconnectedness brings complexity and risk. One improperly configured device or incorrect line of code can have disastrous effects. It would not be the end of the world if someone exploited your refrigerator and mined Bitcoins on it, but when organizations start hooking up medical devices and vehicles to the Internet, careful consideration needs to be emphasized. Organizations need to ensure the systems being built are secure.

This post originally appeared on his ISACA blog, which can be viewed here.

More for you

Loading data for hdm_tax_topic #care-team-experience...