Highly resourced and determined cybercriminals are putting companies under strain as they refine their techniques around credential harvesting and ransomware
The opportunistic nature of cybercriminals means they ‘never waste a crisis’, and the COVID-19 pandemic has been a golden ticket to increased activity on many fronts. The threat environment continues to evolve, and cybercriminals are creative, well-resourced, well organised and innovative. They are attuned to using contemporary issues of the day to exploit and target consumers. This is all happening while chief information security officers (CISOs) and their teams are constantly trying to combat attacks and protect their organisations with fewer resources than before.
In fact, a recent survey of 445 IT professionals by the Chartered Institute of Information Security (CIISec) found that 82 percent say their budgets had either decreased, remained the same or weren’t rising fast enough to meet the needs of the latest cybersecurity challenges. On top of this, 54 percent say they had left a job due to burnout or know of someone who did.
To better equip CISOs and their departments, Microsoft has released its latest Digital Defense Report detailing the most pressing concerns for organisations and individual users.
A constant evolution of payload delivery mechanisms
Phishers have become better at evading detection by hiding malicious artefacts behind benign ones using poisoned search results – hijacked search results that use legitimate but compromised URLs, or multiple harmless-looking redirectors that eventually lead to phishing.
This year, cybercriminals have also found another shrewd way to prey on users by using custom 404 Not Found error pages to host phishing payloads. Often designed to look like legitimate account sign-in pages, they give cybercriminals unlimited phishing URLs with which to launch attacks. Another strategy is the use of man in-the-middle components, whereby the cybercriminal identifies company-specific information like logos, banners, text and background images from a legitimate site, which are then used to present less suspicious sites to the targets. In this instance the phishing site looks just like the legitimate sign-in page, reducing user suspicion even as the URL points to an attacker-controlled server – the man-in-the-middle component. Cybercriminals also now employ captcha and other evasion tools to hide detections.
Email phishing continues to grow
Email phishing continues to grow in the enterprise context. Given the increase in available information about these schemes and the technical advancements in detection, the criminals behind these attacks are now spending significant time, money and effort to develop sophisticated scams. The Digital Defense Report flags three main forms of phishing – credential phishing, business email compromise and a combination of these two.
Credential phishing has the cybercriminal posing as a legitimate well-known service or brand in the email template in an attempt to lure the user into clicking on a link. This leads them to a fake login page, or the site itself may have malware that’s automatically downloaded to their device, capturing credentials stored on the device or in the browser memory. Once the user’s login credentials have been compromised, they can be used to launch further attacks into the organisation to steal data, money or otherwise breach the user’s corporate network.
Business email compromise (BEC), otherwise referred to as CEO fraud or vendor compromise, specifically targets businesses and is characterised by techniques used to pose as someone the victim would usually take notice of – the CEO, CFO or accounts receivable clerk.
A combination of credential phishing and BEC can deliver more sophisticated kill chains. Once credentials are compromised, the cybercriminal sets up mailbox forwarding rules to monitor for financial transactions. The cybercriminal then inserts a victim impersonation email into the middle of a communication to misdirect or steal money or information.
Ransomware attacks are on the rise, driven by humans
Ransomware is a high-impact, human-driven threat, and there’s been a major shift in the cyberattack landscape towards ransomware that has made it a real and omnipresent threat for everyone, not just certain industries. It’s not only a malware threat, this is a breach involving human adversaries attacking a network.
The State of Ransomware 2020 by Sophos found that 63 percent of IT managers surveyed in Turkey had experienced a ransomware attack in the last year. In Nigeria, this number sits at 53 percent and 49 percent in the UAE. In South Africa this number has dropped from 54 percent in 2017 to 24 percent; one of the reasons for this is the move from the ‘spray and pray’ approach to more selective attacks on targets perceived to be more lucrative. While the attacks are quite high in Turkey, Sophos found that 51 percent of these were thwarted before data could be encrypted.
Ransomware attacks are designed to lock companies out of their critical systems in order to extort payment – and while acquiescing to the demands might seem like the better option than rebuilding business systems, paying the ransom will not get rid of the attacker. When cybercriminals extract files for release or for sale, they leave backdoors in the network for future criminal activity, and these risks persist, whether the ransom is paid or not.
Cybercriminals perform huge, wide-ranging sweeps of the internet, looking for vulnerable entry points, and they then ‘bank’ this access for a time that’s advantageous to their purpose. For example, cybercriminals exploited vulnerabilities in VPN and remote access devices to obtain credentials, and then saved their access to use for ransoming hospitals and medical service providers during the COVID-19 pandemic. They’re aware of times when there are business needs that will make those businesses more willing to pay the ransoms than take the downtime on their systems, and a global pandemic is exactly one such time.
The rise in popularity of ransomware has led to a cybersecurity narrative that focuses on the intricacies of the ransomware payload, and the encryption methods used. This makes it seem as if the ransomware were appearing on networks through the characteristics of malware and that defences should focus on preventing encryption. But this approach ignores the human actors behind the threat – and that access to their networks might already be compromised. Understanding and fixing the fundamental security issues that led to the compromise in the first place should be a priority for ransomware victims.
Users and CISO’s can take steps to protect against attacks
Given the enormity and complexity of credential phishing and BEC, the Microsoft Digital Crimes Unit advocates key steps:
- Adopt multi-factor authentication – this can stop credentials-based attacks dead in their tracks.
- Adopt good email hygiene – 90 percent of attacks start with an email, so preventing phishing can limit the opportunities for attacks.
- Train employees to recognise the tell-tale signs of phishing, and keep training them. Users can be the weakest link, or the first line of defence, so train users on what an attacks look like, and provide them with a way to report unusual activity.
- Patch systems and apps and use the most up-to-date versions of apps and platforms.
- Manage configuration changes – misconfigurations are a prominent attack vector and an example of how small changes can lead to big problems. Implementing a robust change management programme allows businesses to review changes before they’re made and confirm that they won’t put the organisation at risk/
Relentless vigilance is necessary
Microsoft is constantly looking at new ways to best serve its billions of customers globally, from individual users and businesses to the CISOs and teams protecting their organisations. By aggregating security data from a broad spectrum of companies, organisations and consumers, we are able to generate a high-fidelity picture of the state of cybersecurity and to predict what attackers will do next. The defender community at Microsoft works hard to identify threats and keep all our customers informed.