As hackers continuously improve their methods, cybersecurity attacks are getting more complex and can target even the most reliable security solutions. According to the Unit 42 Managed Threat Hunting Team at Palo Alto Networks, WikiLoader is also known as WailingCrab and it's a malware for rent.

Based on a blog post by Proofpoint (2023), WikiLoader's initial primary mode of delivery was through phishing. Cybercriminals recently compromised systems by impersonating Palo Alto Networks' GlobalProtect VPN portals and disseminating a malware version of WikiLoader through an SEO poisoning campaign. By successfully passing off harmful payloads as authentic VPN updates, the attackers were able to fool users into downloading malware that served as a doorway for more exploitation.

This blog article will go over the attack's progression and how NVIS AI's peer-to-peer (P2P) connections, Zero Trust framework, data-in-transit encryption, and lack of a public attack surface may have prevented it.

The attack: WikiLoader distribution via SEO poisoning

In this incident, the malicious actor(s) tricked users into installing malware by impersonating a reputable VPN client using SEO poisoning. Cybercriminals use a technique known as "SEO poisoning," whereby they influence search engine results to steer consumers toward harmful websites. Instead of sending phishing emails, the malicious actor(s) produced phony websites that surfaced in search engine results for genuine software updates, in this example, Palo Alto's GlobalProtect VPN.

Here's how the attack came to fruition:

• Manipulated search results: To make their phony "GlobalProtect VPN" website rank highly in search engine results, the cybercriminals employed SEO poisoning techniques. Instead of being redirected to the official Palo Alto website, users who searched for VPN client updates were directed to the fraudulent website(s).

• Spoofed VPN update pages: The malicious websites closely imitated Palo Alto's official VPN download portals, leading users to believe they were downloading an official VPN client update.

• Installation of WikiLoader malware: The malicious software was installed by users after they downloaded and installed an update that they thought was authentic. Thereafter, WikiLoader functioned as a downloader for more harmful payloads, such as ransomware, information stealers, or remote access tools (RATs).

• Subsequent exploitation: Following the first breach, hackers may utilize WikiLoader to spread additional malware, giving them more control over compromised systems and exposing private information.

How NVIS AI could have prevented the attack

1. Encrypted data-in-transit to protect sensitive information

With NVIS AI's encryption technology, all data transmitted between users and systems is completely secured and shielded from tampering or interception. Secure communication would have been essential because the attackers in the Palo Alto's scenario introduced malware by using a phony download portal.

How This Helps Your Organization: NVIS AI's encrypted communication would have insured that any data traveling via the compromised system remained unreadable to the attackers, even if users had been tricked into downloading a rogue VPN client. By doing this, malware would not be able to steal confidential data or permit more harmful activities.

2. Peer-to-Peer (P2P) architecture

Unlike traditional VPNs, NVIS AI operates on a user-to-user communication model, which allows users to communicate directly without the need for central servers or intermediaries. This makes it impossible for hackers to take control of centralized infrastructure.

How This Helps Your Organization: The decentralized method that NVIS AI brings to the table greatly lowers the possibility of man-in-the-middle attacks and credential harvesting, which were major factors in the Palo Alto VPN spoofing incident. However, even if malicious actors managed to create a convincing fake VPN client download site, the P2P architecture would make such an attack ineffective due to the lack of central point for the attackers to target.

3. No public attack surface

Unlike traditional VPN systems with their login pages, attackers would not have a clear entry point to target because NVIS AI does not have a public attack surface which is part of its standout features.

How This Helps Your Organization: NVIS AI's ensures that its services are private and inaccessible from the public internet and this would have drastically reduced the risk of the WikiLoader's attack. The malicious actor(s) created a phony VPN site that looked just like the real one in order to take advantage of Palo Alto's VPN infrastructure's public-facing feature. It would have been very difficult to implement such a strategy because NVIS AI does not have a public attack surface and its architecture lacks public-facing portals. With NVIS AI, your organization's infrastructure would stay undisclosed from external entities and this would limit any avenues that malicious actors might have to infiltrate your network.

Practical measures for companies employing NVIS AI

Here are some concrete actions that firms using NVIS AI may take to strengthen their cybersecurity posture against methods like SEO poisoning and other malware distribution:

Teach staff about SEO poisoning

It's critical to teach staff members about the dangers of obtaining software from unapproved sources because SEO poisoning depends on users' faith in search engines. Despite NVIS AI's ability to safeguard your network, preventing malware at its entrance point requires employee knowledge.

Evaluate and audit ZTNA rules

To make sure that only authorized people and devices are accessing your network, routinely audit and evaluate the Zero Trust rules in place inside your company. Maintain stringent access controls at all times, and make sure that policies are updated to address emerging risks.

Make effective use of the P2P and encryption features of NVIS AI

Make sure that all vital systems and communications are routed through NVIS AI to fully benefit from its P2P communication model and encryption capabilities. In the unlikely event that malware is compromised, this will safeguard private information and ensure secure system interactions.

Restrict user access to websites with a public face

One way to reduce the risk of SEO poisoning is to limit access to reputable software update portals. Promote the usage of authorized vendor channels and inform staff members of the dangers of obtaining software from untrusted sources.

Conclusion

The attack on Palo Alto VPN users through SEO poisoning serves as a reminder that attackers are always finding new ways to exploit vulnerabilities in traditional security infrastructure. For organizations using NVIS AI, the advanced features such as data encryption, P2P architecture, ZTNA, and no public attack surface could provide robust protection against such attacks.

By adopting NVIS AI, organizations can stay ahead of evolving threats and prevent tactics like SEO poisoning from causing significant damage to their networks. With no reliance on public portals, continuous authentication of user actions, and secure data transmission, NVIS AI provides a solid line of defense that makes it much harder for attackers to succeed.

Safeguard your organization from the next wave of sophisticated cyber threats by leveraging NVIS AI’s cutting-edge capabilities.

Ready to take the next step? Schedule a demo or contact our team of experts today to see how NVIS AI can revolutionize your network security.