FireEye, a company, which is committed in finding advanced solutions to prevent advanced cyber attacks, recently conducted a campaign, called ‘Data Stealing Campaigns’. We at cioaxis.com spoke to Ankit Anubhav, a Malware Researcher at FireEye India to understand more about this campaign and core objective behind this.
1) What is this data stealing campaigns for?
These campaigns vary in purpose, however the intent common in them is that they want to steal confidential credentials, such as banking information, social network, mailing credentials. The stolen data is either directly misused by hackers or sold off to third party in dark forums.
2) How serious is the threat level?
Unlike exploits which need the vulnerable software and a flaw to work, PowerShell malware do not need to exploit any bug. They simply abuse the powerful functionality provided by PowerShell to serve their own malicious purposes. PowerShell is present by default in modern Windows operating systems, so it makes the work of cybercriminals even easier as they don’t need to depend on the presence of a vulnerable software. The fact that we are observing various unrelated campaigns throughout the globe abusing PowerShell shows that this issue is not localized and should be dealt with on a wider scale.
Sophisticated tricks are used in these scripts to evade detection, hinting that these campaigns are organized and not one off cases of script abuse by rookies.
3) How these data can be used by the so called underground hackers?
The malicious PowerShell script can either be used directly to retrieve sensitive data, or they can be simply introduce a payload into the victim’s system which can do even enhanced stealing/monitoring. The nature of data stolen is of a wide range ranging from email accounts, to social network and sensitive banking information. Underground hackers can use this to directly for financial fraud, personal defamation or in most cases this sensitive data is put on sold on underground forums.
4) What method has been used to steal these data?
Although the data stealing campaigns vary in nature, the common thing about them is that they somehow trick the victim in running the PowerShell commands they want. To achieve this various tricks are used, for example embedding the script in a payload, document file or a disguised link file. Post compromise either the script makes way for new malwares to enter the network, or they collect sensitive data and email it to hackers’ email account.
5) How Can organizations prevent these attacks?
Organizations with valuable information should defend against these attacks. They will evade legacy security offerings, like firewalls for example. Advanced offerings in this space can detect this attack and other advanced attacks.
6) Is there any advanced solutions to smell such attack well before they reach the perimeter?
FireEye offerings can detect these attacks. One commonality between these attacks is their attempts to conceal themselves from InfoSec researchers. To hide plaintext commands, they encrypt it. To remain silent, the script will run in non interactive / hidden mode and will use switches to bypass permissions. These techniques are unusual in a corporate network and could be monitored and blocked based on their suspiciousness on day zero. Beyond this, once the data is stolen, the attackers will exfiltrate it at some point. This transport can be investigated to go inside the campaign for intelligence and bring it down.