Tag: malware

Dormant Malware, the Hidden Threat Lurking in Your Systems

In cybersecurity, malware remains a persistent and growing concern. One of the most dangerous forms of malware is dormant malware, also known as sleeper malware.

This malicious software can remain inactive for extended periods within a system before being activated by cybercriminals, sometimes waiting for months or even years. While there is no precise data on how many systems are infected with dormant malware, certain statistics shed light on the prevalence and potential impact of this hidden threat.

Dormant Malware Prevalence

The term dormant malware refers to malicious programs that are intentionally left inactive, sometimes for months or even years, before being triggered by external, but mainly by internal, conditions – keywords, access to specific files, date events… This form of malware is challenging to detect because it does not show any obvious signs of compromise until activated. Some key data points provide insight into how dormant malware may be affecting systems worldwide:

  • 560,000 new malware samples are detected DAILY, contributing to an already staggering total of over 1 billion known malware programs. Many of these could potentially remain dormant within infected systems, waiting for the right conditions to activate [1], with the staggering cost of an average of US$/EUR 4.5 million per incident.
  • In 2023, the total number of malware attacks worldwide reached an alarming 6+ billion, marking a 10% increase from the previous year [2]. This increase in attacks raises concerns about the growing threat landscape, with dormant malware being a likely factor in many incidents.
  • A particularly concerning statistic is that nearly every second computer in China is infected with malware, with a 47% infection rate that ranks as the highest globally. Many of these infections could involve dormant malware that is lying in wait for activation [1], and it can spill over into systems worldwide, including the West.

Malware knows no borders, much like influenza.

Factors Contributing to Dormant Malware

There are several reasons why malware might remain dormant in a system. Understanding these threats can help organizations strengthen their defenses and detect them more effectively:

  1. Dependency on External Infrastructure: Dormant malware may not activate if it cannot communicate with its command-and-control (C&C) server, which is responsible for sending activation commands. Without this connection, the malware remains inert until the link is re-established [3]. This is my favorite method, ‘air-gapped systems’, but still not safe without certain precautions.
  2. Internal Component Dependency: Many malware families consist of multiple components that must work together to execute their payload. If a critical component is missing, the malware may remain dormant until the necessary components are present or accessible [3], making it undetectable.
  3. Missing/Expected Input: Some malware requires specific inputs or conditions to execute, as mentioned before. Without these triggers, such as certain user actions or system events, the malware stays inactive, posing a potential threat that could go undetected until activation [3].
  4. Broken ‘Packer‘: Malware often uses packers (encryption tools) to evade antivirus detection. If the packer malfunctions or breaks, the malware may fail to unpack and remain dormant, as the broken payload can be replaced or reinitialized when a suitable trigger activates it. [3].

Impact and Detection Challenges

The threat posed by dormant malware is varied. On one hand, its ability to stay hidden for extended periods makes it difficult to detect. On the other hand, when activated, it can cause huge ravages, not only in terms of financial loss but also in exposing individuals’ private lives to the world. Major challenges include:

  • Extended Dwell Times: Cybercriminals often rely on extended dwell times, using these inactive periods to plan their attacks carefully and maximize the damage once the malware is activated. The longer the malware stays dormant, the more time attackers have to refine their strategies [6].
  • Traditional Security Gaps: Traditional perimeter security tools, such as firewalls and antivirus software, may fail to detect dormant malware, allowing it to sit undetected for weeks, months, or even longer. As cybersecurity tools become more sophisticated, so do the methods that malware uses to remain hidden [6].
  • Case Studies of Detection: In Q3 2023, Kaspersky’s security solutions blocked banking malware on the computers of 76,551 unique users. While it’s unclear whether these infections were dormant before activation, this statistic highlights the scope of the problem and the challenges in detecting malware that lies in wait [4].

Why You Should Care About Dormant Malware

Dormant malware is particularly dangerous because systems may appear to be functioning normally while harboring malicious code that can be triggered at any time. Organizations and individuals alike must understand the threat and take proactive measures to protect their data and systems.

How to Defend Against Dormant Malware

To mitigate the risks, it’s critical to implement comprehensive cybersecurity strategies that go beyond traditional defenses:

  • Advanced Detection Tools: Rely on more sophisticated security software that can detect and analyze suspicious activities over extended periods, looking beyond the immediate threat to uncover hidden dangers.
  • Regular Security Audits: Conduct regular security audits to identify any signs of dormant malware and ensure that all components of your system are functioning properly.
  • Employee Training: Educate employees on the risks of malware, including dormant threats. Awareness and vigilance can go a long way in preventing the initial infection that could lead to dormant malware. As I’ve written multiple times, don’t click on any suspicious links – the most prevalent cyberthreat ever, PHISHING.
  • Network Segmentation: Segment networks to limit the spread of dormant malware. If malware does become active, limiting its ability to move through the system can contain the damage. Segment the data from the system !!!

While precise statistics on dormant malware infections are elusive, the data available paints a clear picture:

Dormant malware is a growing concern among all companies.

With increasing numbers of malware attacks and the sophistication of these threats, organizations must remain vigilant and employ advanced detection techniques to identify and mitigate dormant malware risks, without forgetting to train your employees. By focusing on both technological solutions and user education, we can reduce the chances of becoming the next victim of this hidden threat.

References:

[1] Astra Security, Malware Statistics – https://www.getastra.com/blog/security-audit/malware-statistics/
[2] Statista, Malware Attacks Per Year Worldwide – https://www.statista.com/statistics/873097/malware-attacks-per-year-worldwide/
[3] Tripwire, Four Common Scenarios for Dormant Functionality in Malware – https://www.tripwire.com/state-of-security/four-common-scenarios-for-dormant-functionality-in-malware
[4] Securelist, IT Threat Evolution Q3 2023 – https://securelist.com/it-threat-evolution-q3-2023-non-mobile-statistics/111228/
[5] Statista, Malware Overview – https://www.statista.com/topics/8338/malware/
[6] Node4, Why Ransomware Hides in Your Systems for Months – https://node4.co.uk/blog/why-ransomware-now-hides-in-your-systems-for-months/
[7] Gabsten, Dormant Malware: Beware the Lurking Threat to Your Data – https://www.gabsten.co.za/2024/01/19/dormant-malware-beware-the-lurking-threat-to-your-data/

Do you know if your data is wandering around on the Internet?

You’d be horrified by how much we can find about you online.

We often implicitly trust companies to keep our data safe, but wait a minute – just because they say it’s safe doesn’t mean it’s foolproof. In fact, companies often warn you in their contracts about how they will handle your information.

That’s not possible, you might say. Well, just recently, in July 2024, AT&T confirmed that cybercriminals had stolen phone numbers and call records of “nearly all” of its customers, affecting approximately 110 million people [1].

The genetic testing company ’23andMe’ reported a breach, affecting 14,000 users [2].

Under the subtitle “Top 5 Data Breaches of 2023,” you can read about this genetic company and others [2].

Here’s an altered story – almost real (company names and personal names have been changed to guarantee anonymity) – that will make you think twice about your own online security… and even your physical security:

The High-School Friend and The DNA Test

Juliana Luniq, a young German medical professional, had just moved to a new city, Amsterdam. She was juggling her new job while setting up her new place, keeping her busy and somewhat feeling lonely. A few days after settling in, she was thrilled to reconnect with Amanda, her best friend from high school. Amanda had reached out on social media, and soon they were remembering about old times, laughing over high-school photos, and catching up on Juliana’s new life that Amanda had followed on social media, where Juliana posted her move from Germany to the Netherlands.

Juliana felt a wave of nostalgia as she reconnected with Amanda, who remembered all the details – favorite bands, embarrassing prom moments, even the long summer road trip they had taken after graduation.

It was comforting to have an old friend in her inbox, especially while adjusting to a new city and all the challenges of starting fresh. Juliana and Amanda chatted over the next few weeks, catching up on everything from career to family. Juliana even shared that she had recently taken a DNA test with a popular international company, GeneVII GmbH, to explore her ancestry and potential health risks. She had always been interested in her heritage, and the test had provided insights into her family’s genetic makeup, along with a few notes on health predispositions.

Unknown to Juliana, the “Amanda” she thought she was chatting with was not her friend at all. The real Amanda had no idea this “reconnection” was happening. Juliana was, in fact, being targeted by a sophisticated scam ring that exploited leaked data from GeneVII GmbH and social media. By piecing together both Amanda’s and Juliana’s social media posts, tagged photos (dates, places…), and even Juliana’s genetic data, the scam ring crafted a disturbingly convincing persona from Juliana’s past. Like so many of us – even high-profile cybersecurity experts who’ve been targeted – Juliana had unknowingly provided the foundation they needed.

Over the next few weeks, “Amanda” became a comforting presence for Juliana – a familiar face who seemed to understand her. They exchanged stories and recommendations, and one day, “Amanda” suggested an exclusive supplemental health analysis service from GeneVII GmbH that she had found after Juliana had recommended the company to her. The offer seemed like the perfect opportunity for Juliana to explore her health profile in greater depth, especially with the recommendation from her friend.

Juliana clicked the fake link sent to her, logged in, provided her details, and verified her account “for security purposes” via a 6-digit Google Authenticator code (any code would work), thinking this was just another benefit of her GeneVII GmbH membership. The address had only a slight change – where ‘VII’ had one lowercase ‘L’ instead of two (unnoticeable).

That very night, the scam operation went into action. “Amanda” and her team now had complete access to Juliana’s GeneVII GmbH account, including her full genetic profile. Worse still, they had changed her security questions, password, and locked her out – a move timed over the weekend when most companies are closed. As a precaution, they also accessed her email, confirmed all changes, and deleted any email notifications.

On Monday, while Juliana was at work, her family received an unexpected call from a professional-sounding woman claiming to be a genetic counselor from GeneVII GmbH. She explained that, through routine analysis, they had discovered a serious genetic marker for an aggressive disease in Juliana’s DNA. The counselor’s tone was calm, compassionate, and and eerily calm. She warned Juliana’s parents that their daughter was at imminent risk for the disease and that a groundbreaking, though experimental, treatment was available privately.

“We’re reaching out because Juliana didn’t respond to her emergency contact,” the counselor said smoothly, spinning a believable story that left Juliana’s parents in a state of panic. Her father tried to contact her directly, but each attempt was met with an error message asking him to try again later. The scammers had managed to block her account and used a pretense with the operator to change her phone number.

In the midst of this supposed crisis, the counselor put the family in touch with “Amanda”, claiming that Juliana had trusted her as a local contact in Amsterdam. Tearfully, “Amanda” explained that Juliana had confided in her about feeling fatigued and overwhelmed, and was considering this experimental treatment – if only it weren’t so costly. To make the story even more convincing, “Amanda” shared personal, intimate details about her supposed friend.

Juliana’s family was devastated. Unable to reach her, feeling powerless and desperate, they resolved to do anything to save her. The counselor assured them that EUR 80,000 was all that was needed to secure a spot in the exclusive medical trial, but emphasized that spots were filling up quickly.

In an emotional rush, Juliana’s parents wired the money, convinced they were buying their daughter precious time. All the while, Juliana was blissfully unaware of the deception, still going about her happy life in Amsterdam.

That evening, she only discovered the truth when she tried to log into her GeneVII GmbH account to do what “Amanda” told her about the new test and found she was locked out. Panicked, she called the company’s customer service, only to learn that her account had been accessed from a new device two days earlier, and her details had been changed. Her heart raced as she thought, ‘Who could that be?’ when suddenly all the private messages she had exchanged with “Amanda” came to mind, making her realize that her supposed friend had known far too much. It struck her like a ton of bricks that this “friend” was a complete stranger, piecing together her life and vulnerabilities through years of social media, and now genetic data.

With mounting dread, she urgently called her parents from the company’s phone since her own phone was disabled – only to learn of the money they had sent and the horror they had endured on her behalf. They were all heartbroken, and Juliana was devastated at having unknowingly led them there. Every choice she had made seemed to unravel with one simple, careless mistake:

Trusting an ‘online friend request’ from someone who felt familiar.

Juliana had fallen victim to a deeply personal scam, one that exploited intimate details of her life, her genetic data, and her family’s trust. A single click, a connection with a “familiar” face, and a series of misplaced trust had led her and her family into the hands of a highly organized scam ring.

What can we take away from this story?

Every digital footprint you leave online remains permanent – whether you ask Google to remove it or not. Think beyond just Google, and consider other search engines outside the EU and US, and especially governmental databases. Your photos, friendships, and even your DNA can be weaponized by bad actors. In an age where data breaches occur daily and scammers exploit the smallest details, it’s crucial to rethink who you trust online and what data you share. Your information might be worth more than you realize – not just to you, but to those who would use it against you and the people you love.

This story serves as a reminder to think carefully about the personal information you share, even with online friends (check with them before, via email, telephone…), to recognize the potential for deep personal consequences. Be proactive by asking questions!

In our days, we urgently need to exercise caution when it comes to our data in today’s digital world. Be mindful of what you share on social media, and consider removing tags and geolocation data from your photos and videos.

Just for fun (or maybe not), try asking ChatGPT to create a profile about you – you will be amazed at what it can tell you. Now just imagine governments who collect every bit of data about you, and using a more powerful AI!

A new DANGER!

A new threat is now looming, the imitation of our voices, which could be used to scam us all.

These AI-generated voices can be incredibly realistic, to the point that it becomes difficult to tell if you are speaking to a human or a machine. Imagine receiving a call from a loved one, asking for money urgently, only to find out it was not them at all, but a deepfake of their voice.

Advise your friends or loved ones to take action if they notice anything unusual or suspicious. For instance, they can use security-based questions to verify whether they are truly speaking to the person they think they are. These questions could be designed to test familiarity or mutual knowledge that only the real person would know. Here are some examples:

  • What was the color of my childhood bedroom?” (A personal question based on shared history.)
  • What’s the name of the family dog?” (A detail that’s specific and difficult for an imposter to guess.)
  • What was the title of the last movie we watched together?” (Something that could easily reveal whether the caller is the real person or not.)
  • Can you name the musical band we saw last summer?” (A shared experience that would be hard for anyone else to know.)
  • What was the first thing I said when we met?” (A personal memory that only the real person would be able to recall.)

These questions can help confirm that the person on the other end is who they claim to be, especially in cases where AI-generated voices might be used to deceive. In fact, you could even use these questions while chatting, as AI currently excels more in text-based conversations than in voice interactions.

Be proactive in educating your circle about these potential threats, and always verify anything that seems even slightly out of the ordinary.

Is the first sentence justified?

“You’d be horrified by how much we can find about you online.”

Disclaimer:
The names, places, companies, and, in part, events mentioned in this article are purely fictional and created solely for illustrative purposes. Any resemblance to actual individuals, locations, or organizations is entirely coincidental.

References:
[1] https://techcrunch.com/2024/10/14/2024-in-data-breaches-1-billion-stolen-records-and-rising/
[2] https://jumpcloud.com/blog/top-data-breaches-2023