Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Allied Cybersecurity Agencies Advise Against Disabling Popular Tool for Cyberattackers

The Microsoft program—PowerShell—has granted malicious actors in major hacks remote command and control ability over victims, but, by the same token, it can improve cybersecurity management across an enterprise.

Risks associated with PowerShell—a Microsoft program that enables remote management and the automation of tasks—can be mitigated by proper configuration and removing it would come at a cost to security, according to a joint advisory from the Cybersecurity and Infrastructure Security Agency, the National Security Agency and their allied counterparts overseas.

“Many publicly-acknowledged cyber intrusions, including those by ransomware actors, have used PowerShell as a post-exploitation tool,” reads an advisory the U.S. agencies, along with their partners in New Zealand and the United Kingdom, published Wednesday. 

But the same attributes that make the tool attractive to attackers also facilitate more efficient defensive measures and enable crucial forensic analysis, as CISA noted after the intrusion campaign commonly referred to as “SolarWinds,” which the U.S. has since attributed to the Russian Foreign Intelligence Service. 

The adversary’s infiltration of that IT management firm’s operation to trojanize malware in a routine software update gave name to sweeping compromises that affected at least nine federal agencies. But it also involved crafty maneuvers using Microsoft’s Active Directory Federation Services to move laterally across victim networks by uncovering and adopting legitimate credentials.

The agencies explained how “PowerShell remoting,” for example, can address that issue.

“PowerShell remoting is a Windows capability that enables administrators, cybersecurity analysts and users to remotely execute commands on Windows hosts,” the advisory reads. “Windows Remote Management (WinRM) is the underlying protocol used by PowerShell remoting and uses Kerberos or New Technology LAN Manager (NTLM) as the default authentication protocols. These authentication protocols do not send the actual credentials to remote hosts, avoiding direct exposure of credentials and risk of theft through revealed credentials.”

As with cloud computing in general, the chief mitigating measure to consider where PowerShell is a factor is proper configuration of access authorization, which is not usually the default scenario.

“Enabling PowerShell remoting on private networks will introduce a Windows Firewall rule to accept all connections,” the agencies wrote. “The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.”

Source: https://www.nextgov.com/cybersecurity/2022/06/allied-cybersecurity-agencies-advise-against-disabling-popular-tool-cyberattackers/368593/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Cyber Security

Malware leveraging flaws in edge routers has been spying on military contracting websites, according to research from Lumen’s Black Lotus Labs. Malware leveraging flaws...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO