Brian Jackson - Fotolia
Security experts had warned that PowerShell had been fully weaponised in the past year – but Carbon Black’s first unified threat report quantifies the risk for the first time.
The report is based on data from 1,100 cyber security incidents investigated by 28 firms managed service providers and incident response firms in the Carbon Black partner programme, including BTB Security, EY, Kroll, Optiv, Rapid7 and Red Canary.
More than two thirds of the firms taking part in the study said that they had encountered PowerShell exploits in the past year.
The increased use of PowerShell exploitation supports a growing industry trend of malware authors experimenting with ways of evading detection by exploiting operating system (OS) tools, the report said.
Attacks using PowerShell are very effective in remaining undetected, with 31% of Carbon Black partners reporting that PowerShell-related incidents had triggered no security alerts, indicating that attackers are succeeding in using PowerShell to enter and remain undetected in a company’s system.
Most PowerShell attacks took the form of basic or opportunistic threats, using commodity malware attacks such as click-fraud, fake antivirus and ransomware, while 13% of the attacks involving PowerShell appeared to be targeted or "advanced”.
Read more about cyber attack tools
- Criminal activity has become the top motivation for distributed denial-of-service attacksas the average attack becomes strong enough to down most businesses.
- Social engineering tops the list of popular hacking methods, underlining the need forcontinuous monitoring, according to security firm Balabit.
- Without using any exploits, hackers can turn synchronisation services such as Dropbox, GoogleDrive and Box into a devastating attack tool, warns Imperva.
Common malware types and delivery
The three most common types of malware present during PowerShell attacks are VAWTRAK (53% of attacks investigated), Poweliks (47%) and CRIGENT or Power Worm (42%).
Social engineering remains the favoured technique for delivering PowerShell-based attacks, according to Carbon Black partners.
“PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines,” said Ben Johnson, Carbon Black’s chief security strategist and cofounder.
“However, more recently we’re seeing bad guys exploiting it for malicious purposes because it flies under the radar of traditional endpoint security products.
“PowerShell gives the bad guys a lot of power because it’s part of the native Windows operating system, which makes it difficult for security teams. On the other hand, PowerShell helps IT guys automate various tasks. The two departments need to come together and strike a balance between IT automation and security,” he said.
Read more about ransomware
- Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.
- Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
In March 2016, the Carbon Black Threat Research Team issued an advisory on a variant of ransomware, dubbed PowerWare, that targets organisations through Microsoft Word and PowerShell.
The researchers found that, by using PowerShell to retrieve and execute the malicious code, the PowerWare ransomware can avoid writing new files to disk and blend in with legitimate activity, making it much more difficult to detect.
Microsoft bolsters Windows 10
At RSA Conference 2016 in San Francisco, security expert and SANS Institute instructor Ed Skoudis warned that the PowerShell Empire open source security tool is as much use to attackers as it is to defenders.
The goal of Powershell Empire is to show what attackers can do with the full force of PowerShell, but it includes a “powerful agent” with a wide variety of features that attackers can use to exploit PowerShell, which has been built into every version of Windows for the past eight years, said Skoudis.
In light of the fact that PowerShell has been fully weaponised, Skoudis said defenders should not rely on its limited execution policy.
Although PowerShell is designed to restrict the scripts that users can write to prevent accidental damage, Skoudis said this is not a security feature because any script can be used to turn off the default restricted execution policy to allow any script to be executed.
Microsoft has responded to the weaponisation of PowerShell by adding features to PowerShell 5 in Windows 10 to reduce exploitation of PowerShell by attackers.
“PowerShell 5 will log all items passed down the pipeline and will log what is happening inside the script blocks and, for Windows 10, it has integration with antimalware, so whatever antimalware is in place, PowerShell can make calls to the antimalware before executing a script,” said Skoudis.
“PowerShell 5 also has something called ‘constrained mode’ which integrates PowerShell with AppLocker, almost giving whitelisting for PowerShell scripts, but even with this stuff coming up in Windows 10 and PowerShell 5, attackers still have three to five years left of unfettered PowerShell access.”