Cyber leaders need to take action or face the consequences
Introduction
Our recent blog aimed at security analysts has significant financial implications for CISOs and senior Cyber Risk stakeholders. This briefing guide will help you understand what you need to address this growing threat, and why.
Multi-legged Risk
Octo (otherwise known as Coper) malware is a dynamic and sophisticated threat that is actively used to target the Financial sector, yet all organizations are at risk. Financial impact is the single largest outcome of Octo malware infection, as it equips cyber criminals with unauthorized access to sensitive information used to gain access to customer and corporate accounts.
David Monnier, Team Cymru’s Chief Evangelist, explains why senior stakeholders need a plan for Octo Malware:
“For banking and financial organizations, addressing Octo malware risks is critical due to its targeted approach within your sector. However, this applies to all organizations and impacts some of your highest financial risks. These can include customer and corporate fraud, financial systems security, data leakage, loss of customer trust, and fines for regulatory non-compliance”
Why Octo is a particularly high cyber risk
It has the potential to become widespread as it is attractive to cybercriminals
Octo is fairly trivial to operate, which lowers the bar to entry, reduces operating costs for criminals, and leads to exponentially more private individual targets and corporate victims as a result. Octo is an attractive malware for cybercriminals because it features capabilities designed to target sensitive data. This information can be used to infiltrate company networks and amplify their impact.
Combatting this threat is highly challenging as the threat landscape is complex
Because it is offered as a ‘Malware-as-a-Service’ mode’, many unsophisticated cyber criminals can exploit Octo resulting in an increasing number and variety of adversaries, making defense much harder. In addition, the highly proficient operators of Octo malicious infrastructure use sophisticated techniques to avoid detection and stay ahead of traditional threat intelligence techniques. Octo developers and sellers are continuously evolving their software, further enabling cyber criminals through their support program.
Larger organizations are vulnerable as it requires a multi-threaded strategic approach
As we will detail further, mitigating Octo requires planning, and that takes time. Defensive measures involve enhancing authentication methods, educating stakeholders, customers, and employees on secure practices, creating specific cyber defense policies to discover and block malicious or suspicious activity, and empowering threat intelligence analyst teams to detect its presence across your entire digital landscape and third-party ecosystems.
Financial Fraud and Loss:
One of the primary risks is direct financial loss. Given that Octo malware targets financial institutions and their customers, organizations may suffer substantial financial fraud. This can result from unauthorized transactions, theft of funds, or compromise of financial credentials leading to broader financial exposure.
Data Breach and Loss of Sensitive Information:
Octo malware's capabilities, such as keylogging and screen capturing, pose a significant risk of a sensitive data breach. This could include the theft of confidential corporate information, customer data, intellectual property, and more. Such breaches can lead to significant legal, financial, and reputational damage.
Regulatory and Compliance Violations:
For organizations under strict regulatory frameworks (such as GDPR, HIPAA, or financial regulations), a malware-induced data breach could lead to non-compliance issues. This might result in hefty fines, sanctions, or other regulatory actions, alongside the costs of remediation and implementing measures to prevent future incidents.
Reputational Damage:
The public exposure of a malware attack can severely damage an organization's reputation. Customers and partners may lose trust in the organization's ability to safeguard their financial assets, leading to loss of business, strained relationships, and difficulty in attracting new customers or partners.
Operational Disruption:
Beyond financial and data-related impacts, Octo malware infections can lead to significant operational disruptions. This could include the loss of access to critical systems, disruption of business processes, and the need to allocate significant resources to incident response and recovery efforts. For organizations in the Global 2000, such disruptions can have far-reaching ramifications, affecting operations worldwide and leading to substantial financial and operational setbacks.
Effective mitigation against Octo malware is something that requires your team to leverage multiple tools, processes, and procedures.
This will likely include all of the following:
Enhancing Detection and Response Capabilities:
Ensure you have advanced threat detection systems and train incident response teams to recognize and respond to sophisticated malware incidents such as Octo.
Strengthening Endpoint Security:
Ensure all corporate devices, particularly Android, accessing your corporate networks have updated antivirus software and endpoint protection, in addition to the latest operating system updates and security patches. These updates often include fixes for vulnerabilities that malware like Octo/Octo may exploit.
Enforce gateway security and improve customer support:
Ensure all devices accessing financial systems and customer services can be identified and categorized. Octo specifically targets Android devices, so ensuring your perimeter security can distinguish the mobile device and OS is critical. When correlated with customer login credentials, your Customer Service team can proactively alert there is a threat.
Promoting Cybersecurity Awareness:
Ensure that mobile security-specific training sessions that include Octo attributes are made available for employees and customers, focused on recognizing account compromise attempts and securing personal devices.
Implementing Alternative Strong Authentication Processes:
Octo can intercept and read SMS on the device. Multi-factor authentication for all banking applications and services, and access to corporate VPNs and networks should avoid the use of SMS to reduce the risk of unauthorized access and fraudulent activity.
Tactical steps from discovery to defense using the CTEM process
Improve external visibility of digital assets & threats using the Pure Signal™ platform
Our recent research, The Digital Risk Landscape: A Report on Top Financial Institutions & Third Party Risk, highlights the need to improve external visibility of external digital assets, and those of third parties. This ensures that the entire risk landscape is fully scoped and includes every possible source of risk and threat.
Start with Pure Signal™ Orbit’s asset discovery feature to discover, inventory, and manage external assets.
Measure levels of risk by classifying external assets
Once the asset landscape has been fully discovered and scoped, the next step is to assess the cloud platforms, systems, and technologies that are internet-facing. This will create a list of assets that the Threat Intelligence Team can constantly monitor for suspicious or malicious activity related to Octo.
Pure Signal™ Orbit’s cloud platform and technologies features autonomously classify assets and provide a full view of the external systems that cybercriminals could potentially target, with information gained from using Octo malware.
Ensure there is a plan to monitor and prioritize Octo-related activity
By leveraging the integration and automation capabilities of Pure Signal™ products, a real-time alert of suspicious or malicious activity will generate an action for assessment.
Pure Signal™ Scout is a simplified threat research analyst platform that enables team members of all experiences to triage a possible threat quickly, Octo will feature as a predefined Tag creating instant insights. Using the combination of assets discovered in Pure Signal™ Orbit, and cross-referencing with Pure Signal™ Scout, a quick assessment can validate if action is needed, or not. Use IoCs from the Octo blog to start.
Use advanced tools and analysts to assess and validate
Once a possible or potential threat has been prioritized to a senior analyst to assess further, this is where real-time insights and expansive visibility outside network borders become a strategic advantage, as outlined in this case study.
Pure Signal™ Recon enables experienced analysts to expand the details and scale the analysis. Octo leverages specific ports, and protocols, and appears legitimate by using self-signed certificates - all this is available to filter and query among 40+ datasets. This method also expands across adversary and third-party infrastructure, enabling monitoring for external threats across a large threat landscape. Use IoCs from the Octo blog to start.
Identify octo-infected devices and take action
Applying insights gained from the activities and processes above can enable various actions, such as:
Identify new and emergent infrastructure associated with the Octo malware.
Monitor for outbound communications from your own networks to both known Octo infrastructure, and potential new C2 servers as they are stood up over time.
Assess when victims of Octo are interacting with your own, or third party, infrastructure and networks.