​PowerShell, Critical Infrastructure and Emotet trojans to take centre stage in 2019

This year we saw attackers become much smarter and harder to detect. They’ve thrown away a lot of the tools they used to rely on, in favour of tactics that slip by traditional defences completely undetected. While this used to be the calling card of more advanced attackers, methods like PowerShell attacks are becoming more popular every day. 

By looking at the trends that took shape this year, there are a number of tools and tactics we expect to see attackers embrace in 2019. 

PowerShell and fileless attacks the new norm

As a Windows scripting language, PowerShell provides unprecedented access to a machine’s inner core, including unfettered access to APIs. It is inherently trusted by Windows, so any commands it executes are typically overlooked by security software.

Once an attacker hijacks PowerShell (or another trusted Windows tool), complete compromise of the victim’s environment is almost inevitable.

Because no actual malware is used in these ‘fileless’ attacks, there isn’t anything for antivirus programs to scan which means they bypass these controls without even trying.

This makes PowerShell attacks a favoured tactic of APTs.

So far, this type of attack has been favoured by Chinese and Russian nation-state actors. The list of those who have deployed PowerShell in campaigns reads like a who’s who of bad guys; APT groups 3, 19, 28, 29, and 32, the financially focussed FINs 6, 7, 8, and 10, and, of course, who can forget Deep Panda, the corporate espionage group linked to China that was implicated in attacks against Australian organisations in the lead up to the G20.

So, while 2017 was the year of Ransomware, 2018 was the year that sophisticated fileless and PowerShell attacks reigned supreme.

Given the ease with which these attacks bypass defences, coupled with the complete pwnage once successful, this is a trend we expect to see continue well into 2019.  

Critical infrastructure in the crosshairs

Before 2018, successful attacks against critical infrastructure were relatively rare – they were always feared, but highly uncommon. Not anymore.

This year, we saw the hacking group GreyEnergy, which took down Ukranian power grids in 2015, systematically target other critical infrastructure across the Eastern European nation and its neighbours.

Industrial control systems running SCADA software in Ukraine and Poland were GreyEnergy’s primary targets this year. Rather than shut down the grids after compromise, the attackers preferred to remain undetected and cover their tracks after collecting the intelligence they were seeking. According to researchers, this new degree of stealth is because the attackers were either preparing to sabotage the networks at the most damaging time possible, or are setting the stage for another APT. Interestingly, fileless attacks were part of GreyEnergy’s arsenal.

This year also saw the emergence of perhaps the most damaging critical infrastructure-specific malware since Stuxnet: Triton.

Widely believed to have been developed by Russia, Triton was used in an attack against a Saudi Arabian petro-chemical plant, shutting it down (although the shut down seemed to be inadvertent).

Triton targets Industrial Control Systems, with the aim of handing over full control to the attackers.

Next year, given the ongoing geopolitical uncertainty, we expect to see more critical infrastructure-specific payloads targeting SCADA and ICS systems across the globe.

“Emotet” – A constant threat

When it comes to banking trojans, Emotet is the star atop the Christmas tree.

This year, it was distributed to such an extent that US-CERT issued a cyber alert in July warning users and organisations to be vigilant against the rising number of malspam campaigns spreading the trojan. It was described as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”.

Despite the spotlight on Emotet, it was still used to target Christmas and Thanksgiving shoppers in a campaign designed to exploit the shopping frenzy aroundBlack Friday and Cyber Monday. 

Primarily distributed in malspam campaigns, Emotet is typically hidden in attachments that claim to be receipts from financial institutions or holiday-themed greeting cards. Once opened, Emotet downloads a secondary payload, most often a banking malware like Ursnif or IcedId, which then steals the victim’s credit card details, passwords, or crypto wallets.

Given Emotet’s massive proliferation in the past few weeks, despite an advisory from USCERT in July, we expect to see it deployed again – possibly to exploit Boxing Day, New Year’s, and Valentine’s Day retail sales.

While cyber attackers by their very nature are difficult to predict, it does help to review the past year’s trends to see what methods are gaining popularity. With 2018 seeing an increase in PowerShell attacks, campaigns against critical infrastructure and the emergence of Emotet, it’s safe to say we’ll be seeing these again long after we’ve given up on our New Year’s resolutions.