Human error is to blame for the majority of malware when it comes to gaining access to a device or network. Whether it’s in the form of a user tricked by a Trojan or a software developer accidentally introducing a bug that becomes exploited. However, this not the only way in which malware can gain a foothold, which brings us to the third method of infection — implants.
Implants are not mistakes, but rather intentional infections on the part of an attacker. They leverage access gained to systems to purposely deploy malware. This access could be via digital or physical means.
Ways implants can happen
Exploits may not be the most common way malware gains access to a system, but they are a common way an attacker gains access to a network. Vulnerabilities in any part of the network perimeter or any system able to connect outside of it can be exploited to gain a foothold in a network as well as to escalate privileges and/or move laterally within so as to access more systems. Once an attacker has access inside a network, malware can be implanted to assist in the attacker’s objectives. Even when malware has already been leveraged for initial access, many types such as bots will continue to reside within the network and may implant further malware at a later date.
Physical security also makes up the network perimeter and as such must also be protected through access control and monitoring. Firewalls are designed to create a barrier to keep attackers out, but any system on a network is already behind that barrier. Gaining physical access to a system can allow an attacker to implant malware as simply as plugging in a USB device. While there are many protection and monitoring options available for within the network, the stakes are always higher once the threat makes it past the wall meant to keep an attacker out.
As Trojans demonstrate, vulnerabilities are not always in digital form. People can also be a vulnerability, whether it’s a user inadvertently falling for a Trojan or leaking their credentials to a phishing site, or an intentionally malicious insider who implants malware or steals data for any number of reasons. The malicious insider might wish to sell company data for money, have been contacted by an attacker and offered money for network access, feel slighted by their place of work and seek revenge, or simply be a jealous significant other installing spyware on their partner’s phone. A malicious insider might also be unintentional, such as someone who is tricked into granting access or information by an attacker.
The potential impact of implants
Access gained is only as powerful as what it grants access to (or to do). While access to a single non-admin user account might not have a huge impact, access to a supply chain can have tremendous impact, which is why software supply-chain attacks have increased over the past few years.
Supply-chain access can be equivalent to having admin access to not just one, but many accounts — as many as utilize the supply chain being compromised. If a code library is used by 100 pieces of software, implanting malware into that library potentially impacts all 100 projects using it. While not the first, one of the most widely known software supply-chain compromises involved network management software created by SolarWinds. Because the software that was infected innately had a large amount of network access and some high-profile customers, including the U.S. government, were impacted, this attack had a huge impact and serves as an example of the dangers of supply-chain attacks.
Whatever the motive and situation, the commonality between all malware implants is being intentional on the part of the person deploying the malware. Access to devices and/or networks is leveraged to this end. Sometimes access is gained by an attacker, and sometimes access is granted to them, as is the case with malicious insiders operating on behalf of an attacker.
Depending on the level and nature of this access, the impact can vary greatly and, in the case of supply-chain compromise, be quite extensive. Although far less common than other methods of infection, implants can be more difficult to prevent because many typical preventative security measures can be circumvented. This makes monitoring and detection of implants or the access gained to plant them important.