Suspected hackers are attempting to steal valuable enterprise data by injecting banking and credential theft malware through email attachments.
Hackers are installing malware in enterprise computers using .lnk files and PowerShell to evade traditional threat detection tools.
Security firm Netskope Threat Research Labs has detected a sophisticated data theft strategy employed by hackers that can help the latter steal valuable data by evading traditional malware-detection tools.
What really happened?
Hackers have been using Office file attachments to inject malware into systems. This technique involves convincing employees to download attachments on phishing emails, thus using these attachments to inject malware and gain control of enterprise computers.
However, such malicious attachments can be detected by malware detection tools employed by most organisations. To evade such tools, hackers are now using tools like .lnk files and PowerShell to inject malware.
'The current attack chain employs .lnk files and PowerShell to install its payload. As a result, several difficulties exist in traditional static scan, or runtime/sandbox evaluation of this threat,' said Netskope.
'These attachments, detected by Netskope Threat Protection as Backdoor.LNK.NX execute PowerShell which downloads final payloads from SaaS applications, such as Dropbox,' it added.
The vulnerability could have a multiplier effect in organisations where email servers are auutomatically synced to the cloud, resulting in a CloudPhishing fanout effect which can spread the malware to more devices. Some potent malware that were injected using this technique include Ursnif and Locky ransomware that can take control of servers and encrypt all files.
Why should you care?
Sophisticated malware-injection techniques take advantage of vulnerabilities in existing threat-detection and quarantine mechanisms. Once they are employed, they can result in loss of sensitive customer and company data and demands of ransom by hackers.
At the same time, hackers can also use malware and trojans to disrupt operations, control industrial systems and shut down connected systems, thereby resulting in huge losses for victims.
If your enterprise does not take note of such threats, it may suffer a breach soon enough and may attract legal action from the government for failing to protect customer data. According to a report from Beaming, a business ISP, the total number of cyber-attacks on an average UK business rose to an alarming 65,000 between April and June compared to just over 42,000 between January and March. So the threat is very much real.
What do you need to do?
Netskope suggests that security administrators should employ a cloud access security broker (CASB) with cloud app instance-level inspection to prevent malware injections using Powershell or other tools. CASB is a tool to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond a company's perimeter and out of its direct control.
The firm also recommends that companies should scan all uploads from unmanaged devices to sanctioned cloud applications, all downloads from unsanctioned cloud applications, enforce quarantine/block actions on malware detection to reduce user impact, enforce DLP policies to control files and data sent and received by your organisation, enable the “View known file extensions” option on Windows machines and warn users against opening untrusted attachments.
At the same time, your organisation should keep systems and antivirus updated with the latest patches, ensure that no files are executed until it is confirmed that they are benign, and regularly back up and turn on versioning for critical content in cloud services.