Microsoft released a new annual report called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.
In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:
- In 2019, Microsoft blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
- Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware and virtual private network (VPN) exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
“Given the leap in attack sophistication in the past year, it is more important than ever that companies take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” says Tom Burt – Corporate Vice President, Customer Security & Trust.
“This is a follow up to our 2019 Security Endpoint Threat Report, which shows that Indonesia registered the highest malware encounter rate across the Asia Pacific region. The country also registered the 2nd highest ransomware encounter rate across the region. As businesses transforms themselves digitally, they need to be aware of some of the issues as expanding the workplace to the home becomes the norm,” said Haris Izmee, President Director of Microsoft Indonesia.
Below is a summary of the most important insights in this year’s report, including related suggestions for people and businesses.
Criminal groups are evolving their techniques
Criminal groups are skilled and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
Over the past several months, Microsoft has seen cybercriminals play their well-established tactics and malware against human curiosity and need for information. Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic. While the overall volume of malware has been relatively consistent over time, adversaries used worldwide concern over COVID-19 to socially engineer lures around the world’s collective anxiety and the flood of information associated with the pandemic. In recent months, the volume of COVID-19-themed phishing attacks has decreased. These campaigns have been used for broadly targeting consumers, as well as specifically targeting essential industry sectors such as health care.
In past years, cybercriminals focused on malware attacks. More recently, they have shifted their focus to phishing attacks (~70%) as a more direct means to achieve their goal of harvesting people’s credentials. To trick people into giving up their credentials, attackers often send emails imitating top brands. Based on Office 365 telemetry, the top spoofed brands used in these attacks are Microsoft, UPS, Amazon, Apple and Zoom.
Additionally, attack campaigns are rapidly changing or morphing to evade detection. Morphing is being used across sending domains, email addresses, content templates and URL domains. The goal is to increase the combination of variations to remain unseen.
Nation-state actors are shifting their targets
Nation-states have shifted their targets to align with the evolving political goals in the countries where they originate.
Microsoft observed 16 different nation-state actors either targeting customers involved in the global COVID-19 response efforts or using the crisis in themed lures to expand their credential theft and malware delivery tactics. These COVID-themed attacks targeted prominent governmental health care organizations in efforts to perform reconnaissance on their networks or people. Academic and commercial organizations involved in vaccine research were also targeted.
In recent years there has been an important focus on vulnerabilities in critical infrastructure. While companies must remain vigilant and continue to increase security for critical infrastructure, and while these targets will continue to be attractive to nation-state actors, in the past year such actors have largely focused on other types of organizations. In fact, 90% of the nation-state notifications in the past year have been to organizations that do not operate critical infrastructure. Common targets have included nongovernmental organizations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security. This trend may suggest nation-state actors have been targeting those involved in public policy and geopolitics, especially those who might help shape official government policies. Most of the nation-state activity observed the past year originated from groups in Russia, Iran, China and North Korea.
Each nation-state actor tracked has its own preferred techniques and the report details the preferred ones for some of the most active groups.
Ransomware continues to grow as a major threat
The Department of Homeland Security, FBI and others have warned the public about ransomware, especially its potential use to disrupt the 2020 elections. What been seen supports the concerns they’ve raised.
Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks. They’re aware of when there are business needs that will make organizations more willing to pay ransoms than incur downtime, such as during billing cycles in the health, finance and legal industries.
Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system – compromising, exfiltrating data and, in some cases, ransoming quickly – apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.
At the same time, Microsoft also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they “bank” access – waiting for a time that is advantageous to their purpose.
Working from home presents new challenges
It is well known that COVID-19 has accelerated the work-from-home trend that was already well underway in 2019.
Traditional security policies within an organization’s perimeter have become much harder to enforce across a wider network made up of home and other private networks and unmanaged assets in the connectivity path. As organizations continue to move applications to the cloud, cybercriminals are increasing distributed denial of service (DDoS) attacks to disrupt user access and even obfuscate more malicious and harmful infiltrations of an organization’s resources.
It’s also important to address the human element as fundamental to a secure workforce by looking at challenges such as insider threats and social engineering by malicious actors. In a recent survey conducted by Microsoft, 73% of CISOs indicated that their organization encountered leaks of sensitive data and data spillage in the last 12 months, and that they plan to spend more on insider risk technology owing to the COVID-19 pandemic.
During the first half of 2020, Microsoft saw an increase in identity-based attacks using brute force on enterprise accounts. This attack technique uses systematic guessing, lists of passwords, dumped credentials from previous breaches or other similar methods to forcibly authenticate to a device or service. Given the frequency of passwords being guessed, phished, stolen with malware or reused, it’s critical for people to pair passwords with some second form of strong credential. For organizations, enabling MFA is an essential call to action.
A community approach to cybersecurity is critical
Microsoft uses a combination of technology, operations, legal action and policy to disrupt and deter malicious activity.
As a technical measure, for example, Microsoft is investing in sophisticated campaign clustering intelligence in Microsoft 365 to enable security operations center (SOC) teams to piece together these increasingly complex campaigns from their fragments. The company is also trying to make it more difficult for criminals to operate by disrupting their activities through legal action. By taking proactive action to seize their malicious infrastructure, the bad actors lose visibility, capability, and access across a range of assets previously under their control, forcing them to rebuild. Since 2010, the Digital Crimes Unit has collaborated with law enforcement and other partners on 22 malware disruptions, resulting in over 500 million devices rescued from cybercriminals.
“Even with all of the resources dedicated to cybersecurity, Microsoft’s contribution will only be a small piece of what’s needed to address the challenge. It requires policymakers, the business community, government agencies and, ultimately, individuals to make a real difference, as well as a significant impact through shared information and partnerships. This is one of the reasons Microsoft launched the Security Intelligence Report in 2005, and it’s one of the reasons why the company evolved that report into this new Digital Defense Report. Microsoft hopes this contribution will help us all work together better to improve the security of the digital ecosystem,” says Tom Burt.
“October is Cyber Security Awareness Month in the U.S. and this is a good time to consider the changes we still need to make during this pandemic. We believe every Indonesian industry has the potential to be data resilient, and I hope our tools and reports can help empower businesses to achieve more for a post COVID future,” concludes Haris Izmee.