A few weeks ago, “PowerWare” made a bit of a splash, and for good reason. The Carbon Black Threat Research team found that this variant of ransomware was utilizing PowerShell, the scripting language inherent to Microsoft operating systems, for malicious behavior.
Our team found that the “PowerWare” ransomware is being delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to spawn “cmd.exe,” which in turn calls PowerShell with options that will download and run the malicious “PowerWare” code.
This discovery was fairly novel, though anyone working “in the weeds” when it comes to identifying threats day-to-day may have said: “I definitely saw that one coming.”
Now, it seems, that discovery is part of a larger, worrisome trend when it comes to PowerShell: Attackers are doing anything and everything they can to remain undetected when they launch attacks.
At the time of this discovery, our threat research team was concurrently working on a separate project in conjunction with some key players in the security community – the first-ever “United Threat Research” report. Today, we’re unveiling the results of what we found.
The report, available for download here, details how threat actors are exploiting PowerShell to launch cyber attacks. Conducted with more than two dozen of Carbon Black’s managed security services provider (MSSP) and incident response (IR) security partners (representing 1,100 investigations in 2015), our research found that security teams are increasingly seeing PowerShell exploitation during cyber attacks.
Among some of the key findings in this research:
38% of incidents seen by Carbon Black partners used PowerShell.
- Nearly one-third (31%) of respondents reported receiving no security alerts prior to their investigation of PowerShell-related incidents, indicating that adversaries are successfully using PowerShell to enter and remain undetected in a company’s system.
- 87% of the attacks leveraging PowerShell were commodity malware attacks such as click-fraud, fake antivirus, ransomware, and opportunistic malware.
- Social engineering remains the favored technique for delivering PowerShell-based attacks according to interviews with Carbon Black partners.
As many of you know, PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines. This report demonstrates that we’re increasingly seeing the bad guys exploiting it for malicious purposes it because it falls under the radar of traditional endpoint security products.
In addition to outlining how attackers are using PowerShell nefariously, the report details what attackers are trying to accomplish. Namely, they are attempting to access: corporate IP, customer data, financial data, as well as disrupt services.
While many cyber attacks still involve downloading and running malicious executables, such activity is far more likely to trigger alerts that result in the attacker losing their opportunity before they accomplish their malicious mission.
With PowerShell, an attacker can obscure and execute code entirely from memory leaving few artifacts, which provides more opportunity for the attacker to operate unimpeded.
During the past few years, toolkits such as PowerSploit, PowerShell Empire, p0wnedShell, and the Social-Engineer Toolkit have made it easier than ever for attackers to use PowerShell for exploitation tactics. Scanning networks, stealing user credentials, gaining elevated privileges, establishing command-and-control communications, and moving laterally within an organization using PowerShell is nearly plug-and-play with sample code readily available on the Internet. Since PowerShell scripts can be delivered as text files or generated entirely in memory, many traditional security products cannot distinguish legitimate use from bad.
Given the ubiquity of PowerShell and how easily it can be leveraged for malicious purposes, it is not surprising that we are seeing attackers use this tool with increasing frequency and effectiveness.
This information is not to be taken lightly. The report outlines several steps security teams can take today to combat this threat including: blocking PowerShell, setting standards for it, monitoring usage and upgrading the software. Such guidance should be taken seriously by any security team looking to strengthen its organization’s security posture.
Partners directly interviewed for this United Threat Research report were: BTB Security, EY (formerly Ernst & Young), Kroll, Optiv, Rapid7 and Red Canary. A total of 28 Carbon Black partners provided additional details about their PowerShell-related experienced in a survey we conducted in February 2016. We expect this will be the first of many such reports where we leverage the strength and reach of the security community to help enterprises worldwide protect their information against clever, relentless attackers.