Cloud

3/15/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Report: Cybersecurity's Top 3 Threats Intertwine

Botnets, ransomware, and simple attack methods dominate the threat landscape and build on each other to drive effectiveness.

Cybercrime is a business, and hackers are looking for cheap strategies to maximize impact and minimize cost. Simple attack methods are one of three key themes permeating version 23 of the Microsoft Security Intelligence Report, which was released today.

This edition of the biannual report spans enterprise and consumer cloud services, and analyzes the 400 billion emails, 450 billion authentications, and scans of 18+ billion webpages and 1.2 billion devices that Microsoft does each month. The three key topics are botnets, hacker tactics, and ransomware.

Interestingly, researchers point out, these three areas overlap with one another. Ransomware (along with Trojans and backdoors) was a common form of malware distributed by the Gamarue botnet, which Microsoft helped take down in 2017. The threat is also embedded in weaponized documents embedded in phishing emails, a simple and effective form of cyberattack.

Here, we dig into each of the threats Microsoft prioritized:

Bringing Down Botnets
Microsoft's Digital Crimes Unit (DCU) has been taking down botnets since the Conficker botnet disruption in 2008. In November 2017, it coordinated the takedown of the Gamarue botnet (also known as Andromeda), the culmination of an effort that started in December 2015.

The DCU, Windows Defender Security Intelligence Teams, and ESET teamed up to analyze the botnet, which involved researching more than 44,000 malware samples. Gamarue's command-and-control servers had 1,214 domains and IP addresses, 464 botnets, and 80+ related malware families.

Its primary goal is to distribute different several prevalent forms of malware. Since 2011, Gamarue had evolved through five versions of malware, including both Petya and Cerber ransomware, Kasidet malware, spambot Lethic, and info-stealing malware Ursnif, Carberp, and Fareit. Like many bots, it was sold as a crime kit on the cyber underground.

Their disruption caused Gamarue-infected devices to connect to a sinkhole; so far, infected devices from 23 million IP addresses have done so. The sinkhole has seen a 30% decrease in Gamarue victims around the world, but businesses should still be on guard. In January and February 2018, there were still 26 million infected devices connected to Gamarue.

"No harm will come to them because they're no longer part of the criminal infrastructure, but they're still connected," says Johnnie Konstantas, senior director of Microsoft's Enterprise Cybersecurity Group.

"There's money to be made in the renting and leasing of botnets themselves," says Konstantas. While all of Gamarue's command-and-control servers are disconnected, "you still have a lot of infected devices out there."

Easy, Effective Cyberattacks
It's tough to evade increasingly capable security tools, so hackers are turning to an easier and cheaper method: tricking people. They commonly use social engineering, legitimate software features, and poorly secured cloud applications to dupe users into falling for attacks.

Office 365 Advanced Threat Protection found phishing was the top threat vector for Office 365-based threats in the second half of 2017, at 53% of attacks. An attacker can spam a thousand people with a phishing campaign; only one needs to click for it to be effective. Three-quarters of emails contain malicious links, Konstantas points out.

"Phishing emails are becoming a lot more sophisticated," she says. "They've gone from offers that are ridiculous and too good to be true, to ones that are highly targeted."

In brand phishing schemes, for example, an attacker disguises the email to come from a popular company (Apple, Amazon, and Dropbox are common) to convince a target to click a malicious link. More advanced phishing emails factor in users' personal information to feign legitimacy. User impersonation techniques were low in volume but high in severity, Microsoft reports.

Researchers surveyed more than 30 cloud applications and found 79% of SaaS storage apps and 86% of software-as-a-service collaboration apps do not encrypt data at rest and in transit, leaving information exposed. Poor encryption could let an attacker compromise data after infecting an app; lack of Web security could let them execute application-layer attacks.

"You want encryption of data at rest and encryption of data in motion," Konstantas notes. If an employee is using corporate data in an unsecured cloud app, "that is vulnerable because it's not encrypted, and it's in the clear and potentially accessible in an unwarranted way."

From October through November 2017, hackers exploited Microsoft Windows Dynamic Data Exchange (DDE), a tool that enables the transfer of Office files using shared memory. A new form of Locky ransomware was delivered using DDE, an instance of attackers abusing legitimate software.

Raking in Ransom
Ransomware was everywhere in 2017 — in the Gamarue botnet, in phishing emails, in large-scale global attacks. The damage kicked off with WannaCry, which was soon followed by Petya/NotPetya and BadRabbit. Asia was hit with the most ransomware attacks, Microsoft says. The most common families were Win32/WannaCrypt, Win32/LockScreen, and Win32/Cerber.

"These are particularly insidious," says Konstantas. "What was also interesting about ransomware was, you had different types with different intents."

WannaCry, for example, was about collecting money. Petya/NotPetya was not. With the latter, encryption data wasn't even accessible by the bad actors so victims' data was effectively destroyed. It was less about making money than it was about disrupting governments.

Petya had a few different propagation mechanisms built in, she continues. The vulnerabilities existed a month before the outbreak happened, highlighting the importance of system updates. Konstantas also emphasizes the importance of backups for critical systems and data.

"You never really want to pay the ransom, and in some cases, like NotPetya, the data is destroyed anyway," she points out.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Early bird rates expire March 16. Use promo code 200KS for an extra $200 off. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10886
PUBLISHED: 2018-07-16
ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant.
CVE-2018-10859
PUBLISHED: 2018-07-16
git-annex is vulnerable to an Information Exposure when decrypting files. A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git-annex
CVE-2018-14324
PUBLISHED: 2018-07-16
The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a &q...
CVE-2018-14325
PUBLISHED: 2018-07-16
In MP4v2 2.0.0, there is an integer underflow (with resultant memory corruption) when parsing MP4Atom in mp4atom.cpp.
CVE-2018-14326
PUBLISHED: 2018-07-16
In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h.