Due to major strides in cybersecurity protection in the past few years, cyberattackers have needed to find alternate methods of infiltrating victims’ computers. One strategy that has seen a recent increase is the exploitation of programs that already exist on victims’ computers – a strategy called “Living off the Land”. IBM has stated that over 57% of cyberattacks in 2019 have used this strategy to avoid detection by antivirus software. Furthermore, a recent study IBM also discovered that one of the most common tools exploited by cyberattackers is a software called Powershell.
What does Powershell do?
The main function of Powershell is to automate system tasks and allow for computer administrators to access and manage computers remotely. This provides massive productivity advantages, as administrators can manage and repair computer problems regardless of the system’s location. Other features of Powershell include tasks such as network sniffing, which similarly improve IT workflows for system administrators.
Microsoft has preinstalled PowerShell on all its Windows systems since 2005, and since 2016 the software has become widely available on other operating systems as well.
How can it be exploited?
There are many characteristics of Powershell that make it a prime target for cyberattackers. Most importantly, it is widely installed due to the fact that it is prepackaged on Windows systems. Furthermore, it has the ability to bypass the usual security walls by accessing memory directly.
One strategy used by cyberattackers is to leverage Powershell as a malicious downloader to install and propagate malware. For instance, the Trojan.Kotver malware exploits Powershell by installing advertisements onto a system without the victim’s permission. In this case, the cyberattacker would benefit from the revenue generated by the victim’s non-consensual advertisement views.
Another malware that exploits Powershell is PowerGhost. This malicious software installs cryptomining software onto the victim’s computer, essentially cryptojacking the infected system.
How do you protect yourself?
While cyberattackers can leverage frameworks like Powershell in their cyberattacks to avoid detection, initial infection often still uses more traditional methods such as phishing or social engineering. Therefore, the best way to protect yourself is to become aware of the threats and tell-tale signs of phishing attacks. With that said, there are also many strategies to reduce the vulnerability that comes with using Powershell.
Firstly, ensure to disable Powershell altogether if it does not assist in your organization’s IT operations. If it must be used, ensure to constantly keep track of its activity to identify suspicious commands. Be particularly vigilant for activity coming from unknown locations or at strange times. Also, make sure the latest version of Powershell is installed, as outdated versions pose an even greater security threat.
Do not fall victim to cyberattack. Call us at +1 888 366 4443 for more information on how to keep yourself safe.