Cybercriminals are increasingly using deceptive PDF editors to spread infostealers. This malicious software nestles into systems, collects login credentials and can lead to serious data breaches. How do you recognize this threat and what can you do to limit damage?
Download nu zonder uw gegevens achter te laten.
Threat description
There is an increase zichtbspike in allen tricking users into installing a malicious PDF editor. Once these software is active, a infostealer installed that zich in the sy system settles and builds persistence. Infostealers can come up on systems by (targeted) phishing campaigns or by downloading manipulated software and can lead to data breaches by capturing login credentials (username and password) of corporate accounts. This allows unauthorized persons, for example, to log into mailboxes or corporate environments (such as SharePoint or Google Workplace), where important or sensitive company information is stored.
What potential impact does this Confluence vulnerability have?
What steps should be taken after it is clear that an infostealer is present within your system depends on your goal:
- Want to know how the infostealer got onto the device and what information may have been captured? If so, the device in question should be forensically examined. To do this, the device must be disconnected from the Internet and transferred for examination. Important: the device should not be reinstalled, as this will remove traces that may be crucial to answering these questions. NFIR can provide support for this type of investigation.
- Do you only want to remove the infostealer? Then the recommendation is to reinstall the device. This will remove the infostealer as well as any system modifications made by the infostealer.
In both cases, it is recommended that:
- Change all passwords, including system passwords, browser stored passwords and company account passwords.
- Terminate all active sessions of the affected user. Simply resetting the password is not sufficient for this purpose.
Prevent
As indicated, infostealers can enter through phishing or by downloading manipulated software. To prevent this, it is advisable to take the following measures:
- Limit use of unapproved software. As an organization, make reliable software (such as a PDF editor) available centrally so that employees do not have to search for alternatives themselves. Combine this with application control (allowlisting), so that only approved software can be installed and run.
- Use a password manager to securely store login information instead of keeping passwords in the browser.
- Use a monitoring service so that quick action can be taken when an infostealer is installed and further damage can be mitigated.
Have you been a victim of this form of phishing or want to hear more about it? If so, use the button below.
Bent u benieuwd naar een voorbeeld rapportage van een pentest?