This week, Microsoft released their Digital Defense Report. This annual report, first published in 2005, covers cybersecurity trends for the past year. The 2020 report shows that attackers are more sophisticated than in the past years and prefer techniques such as credential harvesting, ransomware and VPN exploits. IoT devices are also favored targets.
Cybercrime Is A Business
“Cybercrime is a business”, Microsoft says in their 2020 Digital Defense Report. “Like any other business, there’s a need to innovate to be profitable and successful.” This means that some types of cybercrime persist over the years, while others are fueled by changes in the economic, political or social climate. The report also addresses opportunistic cybercriminals who capitalize on the Covid-19 pandemic and other disruptive events to lure users into clicking on malicious links and attachments. To achieve this, they often impersonate trusted sources, like the WHO.
Phishing and business email compromise techniques are also evolving quickly. With harvesting user credentials and ransomware attacks being the most common reasons for such cybercrimes. “Human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they bank access, waiting for a time that’s advantageous to their purpose […] In some instances, cybercriminals went from initial entry to ransoming the entire network in less than 45 minutes”, the report says.
Microsoft also highlights the dangers of managed service providers (third parties that provide a specific service and are allowed on a company’s network), open-source software libraries, as well as IoT devices. Data from the first half of 2020 indicates a 35% increase in IoT threats. In most cases, cybercriminals are able to gain access using default credentials.
Well-Funded and Well-Trained Nation State Actors
The past year has been particularly busy for nation-state hacking groups (also known as APTs). They are generally well-resourced, persistent and very capable. The top targeted sectors are NGOs (32%), professional services (31%), government organizations (13%), international organizations (10%), IT firms (7%) and the educational sector (7%).
More recently, an increasing number of state actors have taken advantage of the coronavirus crisis, political events such as the US presidential elections, and announcements surrounding the 2020 Olympic Games, to launch targeted phishing campaigns. Their aim is to steal user credentials and deploy malware. State actors mostly use techniques such as password spraying, penetration testing tools, sophisticated spear-phishing, web shells to backdoor servers as well as VPN exploits.
Over the years, Microsoft disabled false domains belonging to several nation-state cybercrime groups such as Thallium, from North Korea, the Chinese hacking group Barium, Russia’s cyber espionage group Strontium (aka Fancy Bear and APT28), and Phosphorus, a cybercrime group with ties to Iran.
Remote Workforce Comes with New Challenges
Although there have been more opportunities to work from home in recent years, the sudden and massive move to working from home during the Covid-19 pandemic brought with it new security challenges. Microsoft identified 3 areas of risk: infrastructure security, including VPN architecture and virtualization; the human element; and enterprise resilience.
The move to the cloud was accompanied with a sharp increase in DDoS attacks, up to 50% more than before Covid-19. Worryingly, DDoS attacks are often just a smoke screen. Cybercriminals regularly attack the “front door” while, for example, working on a back-end server. In this way, they keep the security team busy with something “urgent”, like keeping the company website up, while they secretly steal data. Furthermore, with more personnel working from home, response times might be less efficient than usual.
Also concerning, is the fact that the vast majority of compromised enterprise accounts didn’t use multi-factor authentication. “During the first half of 2020, we saw an increase in identity-based attacks using brute force on enterprise accounts. This attack technique uses systematic guessing, lists of passwords, dumped credentials from previous breaches or other similar methods to forcibly authenticate to a device or service.”
8 Trillion Security Signals per Day
Microsoft serves billions of customers, ranging from large companies and organizations to small businesses and consumers. As such, the tech giant is in a unique position to gather and analyze data that provides more insight into cybercrime and cybersecurity trends.
Pairing a global team of security experts with machine learning and AI systems, Microsoft scanned more than 470 billion emails, over 600 billion documents and 18 million URLs per month. Over the same period, they also blocked 5 billion threats, authenticated 630 billion events and delivered 4.1 billion meeting minutes. In total, this equals more than 8 trillion security signals per day.
The last section of the 88-page 2020 Digital Defense Report details steps companies and individuals should take to minimize cybersecurity threats.