SA businesses under attack by backdoor malware

SA businesses under attack by backdoor malware – with incidents up 140%, says Kaspersky

Cybercriminals, emboldened by the pandemic-induced remote work trend, which exposed serious flaws in corporate security systems, are finding new ways in which to gain access to sensitive information for nefarious ends.

Backdoors, described by Kaspersky as “one of the most dangerous types of malware”, have become especially significant methods of attack in South Africa, with a newly discovered and harder-to-detect variant causing concern.

Backdoor malware provides cybercriminals with remote control of a victim’s computer. These backdoors install, launch, and run invisibly without the consent or knowledge of the user. Once installed, this type of malware can be instructed to “send, receive, execute, and delete files, harvest confidential data from the computer, log activity, and more.”

“Backdoors enable a series of long unnoticed cyberespionage campaigns, which result in significant financial or reputational losses and may disrupt the victim organization’s operations,” explained Amin Hasbini, head of Kaspersky’s Global Research and Analysis Team in the Middle East, Turkey and Africa, in a statement on Wednesday.

• Backdoors are described by cybersecurity and anti-virus provider Kaspersky as “one of the most dangerous types of malware.”
• They provide cybercriminals with remote administration of a victim’s machine and result in “significant financial or reputational losses.”
• Backdoor malware attacks have increased dramatically since the start of the year, with South Africa’s cases surging by 140%, outpacing increases recorded in Nigeria and Kenya.
• For more stories go to www.BusinessInsider.co.za.
• South African businesses have come under fierce attack from backdoor computer malware, with detections in the second quarter of 2022 surging by 140%, according to the latest Kaspersky Security Network data.

“Corporate systems should be constantly audited and carefully monitored for hidden threats.”

These attacks have become especially prevalent in Africa, with Nigeria, Kenya, and South Africa all recording a big increase in cases between the first and second quarters of 2022. Nigeria recorded 2,624 cases, representing an increase of 83%, while Kenya had 10,300 cases, representing an increase of 53%.

South Africa recorded 11,872 cases of backdoor detections in the second quarter of the year, increasing by 140% compared to the prior period. Additionally, affected users, those successfully targeted by cybercriminals through backdoor malware, rose by 10%.

These increases are even more worrying against the backdrop of a recent finding published by Kaspersky at the end of June, which details a more elusive type of backdoor targeting governmental institutions and NGOs.

This type of SessionManager backdoor was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.

“Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure,” said Kaspersky, adding that 34 servers of 24 organizations from Europe, the Middle East, South Asia, and Africa had been compromised by SessionManager.

What is a Backdoor?
The simplest backdoor attack definition is using any malware/virus/technology to gain unauthorized access to the application/system/network while bypassing all the implemented security measures. Unlike other kinds of viruses/malware, backdoor attack elements reach the core of the targeted application and often drive the aimed resource as a driver or key administrator.

When access to such a deep and crucial level is earned, damage possibilities are endless. Attackers can change the entire or partial infrastructure, make the targeted system work/behave as per their will, and steal crucial data.

The impact of these actions could be highly detrimental. Hence, one is always suggested to remain vigilant about the presence of related threat actors and learn about how to mitigate backdoor attacks.

A backdoor refers to any method that allows users to bypass standard authentication procedures or encryption on a device. Let’s see how you can prevent backdoor virus attacks

How does it Work?
The working of backdoor attacks depends on the way they enter the system. As observed, the most common ways, using which a backdoor can enter into a system, are using malware or using backdoor-specific software/hardware. A detailed explanation of these two is as quoted below.

Backdoor malware
An imposter piece of technology, this malware pretends to be something else so that actions like data theft, malware installation, and creating a backdoor into the systems can be performed seamlessly.

It is also called backdoor Trojan for its behavioral similarity with Trojans which permits an attacker to reach the core infrastructure of an application/software/network. To understand it better, you must know how Trojan operates.

A Trojan is a file with malicious content that can be used and can be delivered in the form of an email attachment, downloadable file, cyber threats like malware, and so on. To make things worse, Trojans have worm-like abilities that make them competent to replicate and expand. Without demanding any further efforts, Trojan can spread to other systems as well.

Regardless of the guises, each sort of Trojan is harmful and has the potential to cause serious damage to the target.

Built-in or proprietary backdoors
Think of it as a backdoor to be used by property owners in the case of an emergency. Such types of backdoors are deployed by software or hardware professionals and do not always have ill intentions. They exist as a component of the software and permit owners/developers to gain instant access to the application/software.

This immediate access helps them to test a code, fix a software bug, and even detect any hidden vulnerability without being involved in the real/authenticated account creation process.

Mostly, they aren’t removed before the final product launch or delivery. At times, they are made secure in order to give instant access to a few users only. But, there are incidents where built-in backdoors are delivered with the original software by fault or negligence.

• Backdoor attack work
• Different Kinds of Backdoors
• Backdoors are of various kinds and each one has a different line of attack.

Cryptographic backdoors
Consider a cryptographic backdoor as a master key useful to unbolt everything hidden behind the encrypted data. Most commonly, data is protected via AES-256 Bit encryption or other algorithms. In this or any other encryption, both the communicating parties are awarded a cryptographic key used to decrypt the data and intercept it.

A cryptographic backdoor breaks into this mechanism and accesses that crucial cryptographic key and accesses the secured information before anyone else.

Hardware backdoors
Such backdoors use hardware components like chips, CPUs, hard drives, and others to break into a system. Using the modified hardware components, hackers try to gain root-level access to the targeted system. Other than computer-related hardware, many other outside devices like phones, home security systems, and thermostats, can also act as a hardware backdoor, if they feature any altered hardware part and are linked with a system.

Most commonly, such backdoors are used for data access, surveillance, and remote access.

Rootkits
A bit advanced malware-type, rootkits allow hackers to conceal their activities completely from the targeted OS and force it to grant root-level access. Once that’s granted, hackers are allowed to operate the system remotely and perform end-less actions like downloading systems, modifying the file, monitoring every activity, and everything else.

What makes rootkits dangerous is their ability to take the form of any used software or computer chips. And, the job is done so perfectly that it’s hard to detect them. Multiple types of rootkits exist.

For instance, there is a kernel-mode rootkit that plays with the kernel of the OS. Then, we have a user -rootkit that is deployed in the user space of the system. Bootloader rootkit is a version of kernel-rootkit and hampers the MBR or Master Boot Record of the system.

Trojans
As quoted above, Trojan malware feigns. Such files are fake to be verified files so that the aimed system/computer grants them access. Each time software is downloaded, a command “allow insert-program-here to make changes on your device?” displays on the screen.

Usually, Trojan files remain hidden at this stage and once permission is granted, Trojans are installed on the system and a backdoor is created. Using the back-door hackers/attackers became capable to gain admin-like access to the system and do whatever they want to do.