Skip to main content

Updates from Enzoic’s Threat Research Team

Some good news this week in the form of infostealer infrastructure disruption as Dutch authorities claim to have shut down some threat actors operating instances of the Redline and META infostealers. Hopefully there is a deterring effect on other Malware-as-a-Service (MaaS) providers. It’s a bit hard to be optimistic that the flow of exfiltrated data will slow, given the ease with which infostealer malware is sold, disseminated, and operated— once the code is out there, the cat is out of the proverbial bag. However, these operations sometimes yield information or evidence that can assist in larger-scale crackdowns, and any reduction in infostealer volume is certainly better than none.

In another success for the authorities, the threat actor known as ‘USDoD’ was arrested in Brazil a couple weeks ago (around the time of our last blog installment). He is most well-known for the recent National Public Data breach (the contents of which can be searched along with many other breaches via our identity breach monitoring product), which exposed millions of US citizens’ Social Security numbers, along with other personal information. USDoD has a long history of high-profile data breaches; hopefully, his downfall will not only prevent him from further criminal activity, but also deter others.

Still, there remain many threat actors out there, and cybercrime is largely a land of opportunity. While the financial incentives remain, we expect there to be a perpetual cast of threat actors waiting in the wings. As researchers, we can take these law enforcement actions as a sign to be vigilant for shifts in the threat landscape as threat actors try new domains, pseudonyms, servers, and tactics to continue exploiting others for illicit revenue.

Some Things Never Change

In a sadly expected follow-up from the ransomware attack in February 2024, Change Healthcare recently confirmed that over 100 million people had their personal financial and health-related information stolen, and notified the individuals that were affected. This makes it the largest healthcare data breach in history. The healthcare industry has long been a juicy target for threat actors due to the high value of the personal information in perpetrating identity theft and fraud, and the highly critical nature of their operations making them a sensitive target for ransomware. We’ve written before about password security problems in the healthcare industry, and this Change breach serves as yet another warning— in testimony to a US House subcommittee, CEO Andrew Witty “confirmed that compromised credentials were used to gain access to Change Healthcare’s systems, which were most likely purchased by the attacker on the dark web.”1

Unfortunately for users, patients, and providers, these large organizations appear uninterested in taking meaningful action to protect against even these basic threats. Despite the costs of this breach exceeding 2 billion dollars1 so far, it’s unlikely to make a significant dent in the revenue of parent company UnitedHealth, which had over 23 billion dollars in net income in 2023, and HIPAA fines max out at $2 million. Some US senators are fighting to remove this limit and establish minimum cybersecurity standards that will hopefully protect the already vulnerable populations (i.e. those suffering health problems) that are harmed by these types of breaches.

FAQs

  1. What is infostealer malware, and how does it impact users?
    Infostealer malware is a type of malicious software designed to steal sensitive information, such as login credentials, financial data, and personal details from victims’ devices. After an unwitting user inadvertently installs it on their system (it often masquerades as a computer game, anti-virus software, or other application)  It stealthily sends the stolen information to cybercriminals, who can use it for identity theft, fraud, or selling it on the dark web. The impact on users can be severe, including financial losses, compromised privacy, and increased vulnerability to further attacks.
  2. How are authorities combating infostealer malware like Redline and META?
    Recent efforts by Dutch law enforcement demonstrate how authorities are actively working to disrupt infostealer malware operations by targeting the infrastructure used to distribute and operate malware like Redline and META. These disruptions aim to slow the spread of infostealers, reduce data exfiltration, and send a message to Malware-as-a-Service providers that their actions are under scrutiny. These operations sometimes yield valuable information that can help track and prosecute threat actors on a larger scale.
  3. Why is infostealer malware still a significant threat in 2024?
    Infostealer malware remains a major threat because of its high availability through MaaS platforms, making it easy for cybercriminals to acquire and deploy without advanced technical knowledge. The high value of stolen data, especially in sectors like healthcare, incentivizes cybercriminals to use infostealers to capture sensitive information. Despite law enforcement efforts, the profitable nature of this malware ensures that threat actors continue to find ways to distribute and operate new variants, making it difficult for signature-based tools that require updates to stay ahead of every new permutation of malware.

1Adler, Steve. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/</small

 

AUTHOR


Dylan Hudson

Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.