Sophos Lab has released a threat report covering expected modes of cyber-attacks in 2019.
Release Date: 26th November 2018
Cyber attackers are successfully evading detection on Windows computers by abusing legitimate admin tools commonly found on the operating system.
This is a pivotal finding of the SophosLabs 2019 Threat Report, which traces how the technique has risen from the fringes of the cybercriminal playbook to become a common feature in a growing number of cyber-attacks for the upcoming year.
Known in security parlance as ‘living off the Land’ or ‘LoL’ because it avoids the need to download dedicated tools, this technique of cyber-attack seems to be interested in targeting PowerShell, a powerful command line shell that ships by default on all recent Windows computers even though few users have heard of it.
Alternatives include Windows Scripting Host (WScript.exe), the Windows Management Instrumentation Command line (WMIC), as well as popular external tools such as PsExec and WinSCP.
It’s a simple strategy that makes detection a puzzle. Removing the tools is an option but comes with disadvantages few admins would be happy with, notes the report:
“PowerShell is also an integral component of tools that help administrators manage networks
of almost any size, and as a result, must be present and must be enabled in order for those
admins to be able to do things like, for example, push group policy changes”.
Attackers, of course, know this and often feel brazen enough to chain together a sequence of scripting and command interfaces, each running in a different Windows process.
“With a wide range of file types that include several “plain text” scripts, chained in no particular order and without any predictability, the challenge becomes how to separate the normal operations of a computer from the anomalous behavior of a machine in the throes of a malware infection”.
TYPES OF ATTACKS
Meanwhile, attackers show no signs of giving up on new variations on Microsoft Office macro attacks, another route to launch exploits without the need for conventional executable.
In recent years, protections such as disabling macros inside documents or using preview mode have blunted this technique.
Unfortunately, attackers have developed techniques to persuade people to disable these using macro builder tools that package Office, Flash, and other exploits within a document that throws up sophisticated social engineering prompts.
Compounding this, cybercriminals have refreshed their older stock of software flaws in favor of more dangerous and recent equivalents – SophosLabs’ analysis of malicious documents found that only 3% of exploits inside builders date from years earlier than 2017.
With well-used filetypes now blocked or monitored by endpoint security, the trend is to use more exotic filetypes to launch attacks, especially apparently innocuous ones that can be called from a Windows shell such as .cmd (Command File) .cpl (Control Panel), .HTA (Windows Script Host), .LNK (Windows Shortcut), and .PIF (Program Information File).
Cryptominers have been enthusiastic users of EternalBlue, using it to move laterally through networks to infect as many machines as possible.
Attackers combining these innovations – Windows LoL tools, macro attacks, novel exploits and crypto-mining – represents a challenge because they often confound the assumptions of defenders.
Their uptake of these more complex and esoteric approaches has been driven, ironically, by the success of the cybersecurity industry at curbing traditional malware.
Concludes Sophos CTO, Joe Levy:
“We expect we’ll eventually be left with fewer, but smarter and stronger, adversaries”.