Breaking botnets and wrestling ransomware

As your business invests in digital transformation, it is important to understand security trends and events so you can strengthen your company's security posture.

By Richard Koh, Chief Technology Officer, Microsoft Singapore

This article was first published in The Business Times on 30 March 2018.

As security incidents and events keep making headlines, Microsoft is committed to helping our customers and the rest of the security community to make sense of the risks and offer recommendations that matter.

One way we do so is through the Microsoft Security Intelligence Report, a bi-annual publication that Microsoft publishes for the benefit of customers, partners and the industry, to educate organisations about the current state of threats, recommended best practices, and solutions.

At Microsoft, we have massive depth and breadth of intelligence to tap on for the report. This includes anonymous data sources from both consumer and commercial on-premises systems and cloud services that Microsoft operates on a global scale, such as Windows, Bing, Office 365, and Azure. Across these services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats.

Looking beyond the headline-grabbing incidents in the last year, the 23rd edition of the report which focused on threat tends since February have exposed three interesting themes as follows.

Botnets continue to impact millions of computers globally

In November 2017, in partnership with a number of global law enforcement agencies and private entities, Microsoft disrupted the command-and-control infrastructure of one of the largest malware operations in the world: the Gamarue botnet.

Microsoft analysed over 44,000 malware samples, which uncovered the botnet’s sprawling infrastructure, and discovered that Gamarue distributed over 80 different malware families.

The top three malware classes distributed by the Gamarue botnet were ransomware, trojans and backdoors. The resulting takedown of the botnet’s servers globally resulted in a 30 per cent drop in infected devices in just a three month-period.

Recommendation: To detect and protect computers from Gamarue and other malware, use security solutions that apply advanced machine learning models as well as generic and heuristic techniques. Microsoft is continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples, through the Virus Information Alliance, to help organisations protect their employees and customers.

Easy marks methods like phishing are commonly used by cybercriminals

As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software.

By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing e-mail. In 2017, we saw “low-hanging fruit” methods being used such as phishing – to trick users into handing over credentials and other sensitive information. Phishing was the top threat vector for Office 365-based threats during the second half of 2017.

Recommendation: While humans are often blamed as the weakest link in cybersecurity, with the right training and education they can also be the first line of defence. Organisations can perform mock phishing exercises, or even consider hiring third-party experts to obtain security awareness training including education on phishing.

Another low-hanging fruit for attackers are poorly-secured cloud apps. In our research, we found that 79 per cent of Software-as-a-Service (SaaS) storage apps and 86 per cent of SaaS collaboration apps do not encrypt data both at rest and in transit, making it far easier for attackers to not only steal data, but also to find ways to compromise those apps for their gain.

Recommendation: When adopting cloud apps, you should ensure that only apps with web session protection and encryption are allowed in your environment. Organisations should have a solution in place to have visibility into and control over all cloud apps usage.

Business software usage is critical for productivity. Cybercriminals know this and take advantage of legitimate software platform features to infect computers. For example, during the last quarter of 2017, the Windows Defender Security Intelligence team detected incidents in which hackers used legitimate business software to stay “under the radar” as they phished users and infected computers.

Recommendation: Microsoft provides malware protection by default in newer versions of Windows, such as Windows 10, for the malicious payloads associated with Dynamic Data Exchange (DDE) attacks. We also recommend that customers follow the basic guidelines to protect their computers by enabling a firewall, installing antivirus software, and ensuring that software updates (as well as operating system security patches) are applied regularly.

Ransomware remains a force to be reckoned with

Money is ultimately what drives cybercriminals, so extortion rackets asking for payments in cryptocurrency by threatening potential victims with the loss of their data remains an attractive strategy.

In 2017, three ransomware outbreaks – WannaCrypt, Petya/NotPetya and BadRabbit – affected corporate networks globally, with significant impact to hospitals, transportation, and traffic systems.

We found that the region with the greatest number of these ransomware encounters was Asia. The ransomware attacks observed last year were very destructive and moved at an incredibly rapid pace, and because of automated propagation techniques, they infected computers faster than any human could respond, leaving most victims without access to their files indefinitely.

Recommendation: Considering the impact of ransomware, we need to ensure that we back up our data and regularly test that the back-ups are working; apply multi-layered security defences, including machine-learning and artificial intelligence technologies to evaluate files to be able to detect suspected malware; manage and control privileged access to data; keep all software up to date; and where necessary, isolate or retire computers that cannot be patched or updated with the latest software to minimise the footprint of exposure to ransomware attacks and infection.

An important insight in the Microsoft Security Intelligence Report is that the three themes are interrelated. For example, ransomware was one of the most prominent types of malware distributed by the Gamarue botnet. Elsewhere, cybercriminals are attempting to take advantage of legitimate platform features to attach a ‘weaponised’ document (for example, a Microsoft Office document) containing ransomware in a phishing e-mail.

What can be done in the enterprise? At the very least, organisations that adopt security hygiene methods, security solutions and best practices have cyber-resilience and incident response plans. They also employ the right mix of people and processes for dealing with the various threat scenarios and attacks to reduce the damage and impact from these threats.