Home Systems Cyber threats getting sophisticated, revealed in Microsoft report

Cyber threats getting sophisticated, revealed in Microsoft report

by ESPC Reporters

September 30, 2020 — Microsoft released a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. 

This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. 

For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices.

Among the most significant statistics on these trends:

  • In 2019, we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
  • Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
  • The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware and virtual private network (VPN) exploits.
  • IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA).

Microsoft data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

A summarised version of the report was presented in Microsoft blog by its Tom Burt, Customer Security&Trust vice president.

Criminal groups are skilled and relentless.

They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.

Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information.

Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic. While the overall volume of malware has been relatively consistent over time, adversaries used worldwide concern over COVID-19 to socially engineer lures around our collective anxiety and the flood of information associated with the pandemic.

In recent months, the volume of COVID-19-themed phishing attacks has decreased.

These campaigns have been used for broadly targeting consumers, as well as specifically targeting essential industry sectors such as health care.

Nation-state actors are shifting their targets

Nation-states have shifted their targets to align with the evolving political goals in the countries where they originate.

Microsoft observed 16 different nation-state actors either targeting customers involved in the global COVID-19 response efforts or using the crisis in themed lures to expand their credential theft and malware delivery tactics.

These COVID-themed attacks targeted prominent governmental health care organizations in efforts to perform reconnaissance on their networks or people. Academic and commercial organizations involved in vaccine research were also targeted.

In recent years there has been an important focus on vulnerabilities in critical infrastructure. While we must remain vigilant and continue to increase security for critical infrastructure, and while these targets will continue to be attractive to nation-state actors, in the past year such actors have largely focused on other types of organizations. In fact, 90% of our nation-state notifications in the past year have been to organizations that do not operate critical infrastructure.

Common targets have included nongovernmental organizations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security. This trend may suggest nation-state actors have been targeting those involved in public policy and geopolitics, especially those who might help shape official government policies.

Most of the nation-state activity we observed the past year originated from groups in Russia, Iran, China and North Korea.

Each nation-state actor we track has its own preferred techniques and the report details the preferred ones for some of the most active groups.

Ransomware continues to grow as a major threat

The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections. What we’ve seen supports the concerns they’ve raised.

Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks.

They’re aware of when there are business needs that will make organizations more willing to pay ransoms than incur downtime, such as during billing cycles in the health, finance and legal industries.

Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system – compromising, exfiltrating data and, in some cases, ransoming quickly – apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.

At the same time, we also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they “bank” access – waiting for a time that is advantageous to their purpose.

Source: https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/

Related Articles

We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. Accept Read More

ESPC on the go