Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.
In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:
- In 2019, we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
- Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware and virtual private network (VPN) exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.
In this blog post I’ll summarize some of the most important insights in this year’s report, including related suggestions for people and businesses.
Criminal groups are evolving their techniques
Criminal groups are skilled and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information. Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic. While the overall volume of malware has been relatively consistent over time, adversaries used worldwide concern over COVID-19 to socially engineer lures around our collective anxiety and the flood of information associated with the pandemic. In recent months, the volume of COVID-19-themed phishing attacks has decreased. These campaigns have been used for broadly targeting consumers, as well as specifically targeting essential industry sectors such as health care.
In past years, cybercriminals focused on malware attacks. More recently, they have shifted their focus to phishing attacks (~70%) as a more direct means to achieve their goal of harvesting people’s credentials. To trick people into giving up their credentials, attackers often send emails imitating top brands. Based on our Office 365 telemetry, the top spoofed brands used in these attacks are Microsoft, UPS, Amazon, Apple and Zoom.
Additionally, we are seeing attack campaigns that are being rapidly changed or morphed to evade detection. Morphing is being used across sending domains, email addresses, content templates and URL domains. The goal is to increase the combination of variations to remain unseen.
Nation-state actors are shifting their targets
Nation-states have shifted their targets to align with the evolving political goals in the countries where they originate.
Microsoft observed 16 different nation-state actors either targeting customers involved in the global COVID-19 response efforts or using the crisis in themed lures to expand their credential theft and malware delivery tactics. These COVID-themed attacks targeted prominent governmental health care organizations in efforts to perform reconnaissance on their networks or people. Academic and commercial organizations involved in vaccine research were also targeted.
In recent years there has been an important focus on vulnerabilities in critical infrastructure. While we must remain vigilant and continue to increase security for critical infrastructure, and while these targets will continue to be attractive to nation-state actors, in the past year such actors have largely focused on other types of organizations. In fact, 90% of our nation-state notifications in the past year have been to organizations that do not operate critical infrastructure. Common targets have included nongovernmental organizations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security. This trend may suggest nation-state actors have been targeting those involved in public policy and geopolitics, especially those who might help shape official government policies. Most of the nation-state activity we observed the past year originated from groups in Russia, Iran, China and North Korea.
Each nation-state actor we track has its own preferred techniques and the report details the preferred ones for some of the most active groups.
Ransomware continues to grow as a major threat
The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections. What we’ve seen supports the concerns they’ve raised.
Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks. They’re aware of when there are business needs that will make organizations more willing to pay ransoms than incur downtime, such as during billing cycles in the health, finance and legal industries.
Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system – compromising, exfiltrating data and, in some cases, ransoming quickly – apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.
At the same time, we also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they “bank” access – waiting for a time that is advantageous to their purpose.
Working from home presents new challenges
We all know that COVID-19 has accelerated the work-from-home trend that was already well underway in 2019.
Traditional security policies within an organization’s perimeter have become much harder to enforce across a wider network made up of home and other private networks and unmanaged assets in the connectivity path. As organizations continue to move applications to the cloud, we’re seeing cybercriminals increase distributed denial of service (DDoS) attacks to disrupt user access and even obfuscate more malicious and harmful infiltrations of an organization’s resources.
It’s also important to address the human element as fundamental to a secure workforce by looking at challenges such as insider threats and social engineering by malicious actors. In a recent survey conducted by Microsoft, 73% of CISOs indicated that their organization encountered leaks of sensitive data and data spillage in the last 12 months, and that they plan to spend more on insider risk technology owing to the COVID-19 pandemic.
During the first half of 2020, we saw an increase in identity-based attacks using brute force on enterprise accounts. This attack technique uses systematic guessing, lists of passwords, dumped credentials from previous breaches or other similar methods to forcibly authenticate to a device or service. Given the frequency of passwords being guessed, phished, stolen with malware or reused, it’s critical for people to pair passwords with some second form of strong credential. For organizations, enabling MFA is an essential call to action.
A community approach to cybersecurity is critical
At Microsoft, we use a combination of technology, operations, legal action and policy to disrupt and deter malicious activity.
As a technical measure, for example, we are investing in sophisticated campaign clustering intelligence in Microsoft 365 to enable security operations center (SOC) teams to piece together these increasingly complex campaigns from their fragments. We also try to make it more difficult for criminals to operate by disrupting their activities through legal action. By taking proactive action to seize their malicious infrastructure, the bad actors lose visibility, capability and access across a range of assets previously under their control, forcing them to rebuild. Since 2010, our Digital Crimes Unit has collaborated with law enforcement and other partners on 22 malware disruptions, resulting in over 500 million devices rescued from cybercriminals.
Even with all of the resources we dedicate to cybersecurity, our contribution will only be a small piece of what’s needed to address the challenge. It requires policymakers, the business community, government agencies and, ultimately, individuals to make a real difference, and we can only have significant impact through shared information and partnerships. This is one of the reasons we initially launched Microsoft’s Security Intelligence Report in 2005, and it’s one of the reasons we’ve evolved that report into this new Digital Defense Report. We hope this contribution will help us all work together better to improve the security of the digital ecosystem.