Dig deep. How attackers use network worms today.

[Father]

The triumphal march of WannaCry and Petya across the planet took place five years ago. Since then, there has been much less high-profile news about network worms. However, the silence in the media does not mean that this type of malware is a thing of the past. It is still used, although much less frequently.

How do network worms work now? And what tools to protect against them are relevant, and what are no longer? For more information, see this article.

The worms don't retreat​

A few years ago, many organizations were affected by WannaCry, Petya, and NotPetya. Most of them are representatives of Russia and Ukraine. Both the commercial and public sectors were hit.

Artem Brudanin
Head of Cybersecurity at RTM Group

Experts estimate the damage caused by WannaCry, Petya, and NotPetya at more than $ 10 billion. Another example is a worm attack based on the BlueKeep vulnerability (2019).

These are all major news headlines, but they are far from the only ones. So, over the past couple of months, you can find information about several chains of computer attacks through network worms at once, including through StripedFly and P2PInfect.

Old and new incidents confirm that companies should take protection from network worms seriously, experts say. Such attacks cause serious financial damage, destroy the company's reputation, and disrupt its business processes.

Nevertheless, there are very few network worms in the volume of malware today. According to a study by Positive Technologies, they account for no more than 1%. Despite this, it is still too early to write off worms, experts say. Especially now, when the attackers began to use them more actively.

Dmitry Khomutov
Director of Ideco

Hackers often use mailings of network worms among other attacks that they commit. Only in the first quarter of 2023, the share of the use of this malware in attacks on the information security of organizations increased by 21%, and individuals-by 23% compared to last year.

At the same time, network worms today, as well as 10 years ago, are malicious programs that can independently spread over the network. They infect vulnerable devices, taking control of them. Worms still help criminals collect information and install additional malware. They are also often used to steal confidential data and create botnets.

Dmitry Ovchinnikov
Chief Specialist of the Integrated Information Security Systems Department of Gazinformservis

Every time you read the news about another DDoS attack, know that this is the result of network worms. They are actively used to create bot farms.

What's trending​

The most popular ones today are postworms, IM worms, and cascade worms. Many information security specialists have been familiar with the first ones for a long time-since the days of ADSL and earlier. Not much has changed since then. Cybercriminals still pose as someone else and send users emails with malicious links. They also force victims to hand over any confidential information. Similar risks occur with IM worms that spread in instant messengers.

Dmitry Khomutov
Director of Ideco

One of the most popular ways that such malware penetrates a company's defenses is when hackers exploit vulnerabilities in network services and protocols. For example, a worm can exploit weaknesses in the Mail Reader protocol (POP3) to automatically spread and infect other computers on the network. If the company does not update the software or install security patches, the damage from a hacker attack can be significant.

As for cascade worms, because of their ability to spread quickly, they can put a heavy load on the company's network infrastructure. This can lead to a decrease in performance or even a complete network failure, and with the loss of the company's control over confidential information, experts remind.

How they protect you​

Network worms are often detected before they develop into problems for the company. This is largely due to system administrators and information security specialists. They understand that older versions of operating systems or applications may be vulnerable to worm attacks, so they try to update the software on time and apply security patches.

Artem Brudanin
Head of Cybersecurity at RTM Group

You need to understand that the" life " of network worms is very short: from the moment a new version appears to the signature updates of various information security tools, it takes from a few hours to a couple of weeks.

However, even today, network worms are actively distributed and used by attackers to implement computer attacks. If earlier these malware carriers could be divided according to the infection method into two groups (vulnerabilities and social engineering), then the absolute majority of all modern ones use vulnerabilities.

At the same time, according to experts, very few people use only antivirus software without additional protection measures. More often, the fight against network worms takes place immediately with the help of several SPIs.

Ekaterina Starostina
Director of Business Development at Webmonitorex

Companies have adopted more sophisticated and intelligent security systems as technology evolves and new types of threats appear. For example, network screens and intrusion detection systems (IDS) have become more advanced and capable of detecting new threats.

In addition, the identification and authentication tools have changed. Companies are moving more actively from outdated methods of identity verification (passwords) to multi-factor verification (MFA) and biometric system. The update helps provide stronger protection against worms and unauthorized access. But this is not all – now AI is increasingly referred to as security tools.

Artem Brudanin
Head of Cybersecurity at RTM Group

Protection against these types of threats is improving from year to year. Now the hype tool is the introduction of machine learning to detect malicious code signatures, parasitic traffic, and automatic correlation of events.

At the same time, according to the expert, the share of multi-vector attacks is growing in companies. Their detection requires comprehensive solutions such as SOAR, XDR, HIPS, and ITDR.

Another trend on the market is increased attention to staff training in cybersecurity rules. In recent years, many companies have focused on this particular area.

Dmitry Khomutov
Director of Ideco

According to a study by Solar Group, 75% of the companies surveyed plan to conduct additional cyber training to improve the skills of specialists.

Activities include basic security principles, identification of phishing emails, and other types of attacks so that employees can more effectively prevent them.

Also, as Dmitry Khomutov notes, today many people have begun to pay attention to safe development. Programmers actively use vulnerability scanners and static code analysis, including to identify and fix errors before they are detected by the worm.

Conclusions​

The probability that the company will suffer from a network worm remains small. Security tools do their job well. But the same cannot be said about the people and persons who make decisions about updating the SPI in companies. Often, it is thanks to them that worms penetrate the corporate network, and loud headlines about infections and billions of dollars in losses appear in the media.

However, the human factor does not ensure 100% success for attackers. It is easier for them to rely on holes in the company's technical protection and vulnerabilities in popular software. That's why Trojans, which account for 9 out of 10 malware attacks in business practice, are unlikely to give way to worms, experts say.