Getty Images

Ransomware Reigns, as Cyberattacks Increase in Sophistication, Frequency

Microsoft’s Digital Defense Report shows hackers are rapidly increasing both the sophistication and frequency of cyberattacks, with ransomware as the most common cause for incidents.

From October 2019 to July 2020, Microsoft data shows hackers have rapidly improved the sophistication and increased the frequency of cyberattacks. And when it comes to incident response engagements, ransomware attacks were the most common cause. 

The report follows reports that the Universal Health Services health system is currently recovering from what appears to be one of the biggest ransomware attacks in recent history. Further, nearly a dozen healthcare entities in the past month have either faced similar incidents or saw their data leaked online by ransomware threat actors. 

Microsoft’s Digital Defense Report details these cybersecurity trends from the past year based on the tech giant’s telemetry data. In total, Microsoft blocked 13 billion malicious and suspicious emails in 2019, out of which more than 1 billion were URLs set up for the explicit purpose of phishing credential attacks. 

The data found that hackers are leveraging techniques that make it harder for victims to detect and “threaten even the savviest of targets.” Threat actors also show a clear preference for certain hacking techniques, particularly credential harvesting, reconnaissance, malware, and ransomware. 

“We’ve seen that cybercriminals continue—and sometimes escalate—their activity in times of crisis,” researchers explained. 

“For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware,” they added. 

Nation-state actors have also shown a preference for exploiting Virtual Private Networks (VPNs). Microsoft explained the MANGANESE hacking group is known to target companies, including those in the public health and healthcare sectors, using stealthy techniques to maintain a presence on the victim’s network for long periods of time and relying heavily on VPN providers for infrastructure and to reduce their footprint. 

For some victims, the group has conducted successful operations over several years. MANGANESE will typically leverage stolen credentials to maintain this access, commonly connecting to a remote access connection through legitimate accounts to reduce the chance of detection. 

Further, amid COVID-19, cybercriminals have worked to prey on fears around the pandemic, as email phishing targeting enterprise organizations has continued to dominate. Microsoft found healthcare providers and hospitals, as well as consumers, were targeted most amid the pandemic. 

And in response to continued awareness on phishing techniques, hackers are now investing more time and resources on scams sophisticated enough to avoid detection and dupe even the most skilled user. 

Phishing and business email compromise attacks are quickly evolving, and Microsoft found that although malware was previously leveraged significantly in these attacks, ransomware and credential harvesting have quickly become a leading goal. 

Meanwhile, researchers observed human-operated ransomware threat actors scanning the internet in massive, wide-ranging efforts in search of vulnerable endpoints to “bank access, waiting for a time that’s advantageous to their purpose.” 

“The lack of basic security hygiene in any given ecosystem continues to enable cybercriminals to use well-known vulnerabilities—or new variants of them—to exploit their environments,” researchers explained.  

“They also were observed to leverage the fear and uncertainty associated with COVID-19 with great success,” they added. “While the COVID-19-themed attacks represent a small percentage of the total of malware we observed, our tracking of these themed attacks shows how rapidly cybercriminals move to adapt their lures to the topics of the day.” 

Concerningly, Microsoft also observed attackers exploiting the COVID-19 crisis to ramp up their deployment time on a victim’s system, quickly compromising, exfiltrating data, and then often dropping a ransomware payload. 

Another notable data point showed hackers are combining business email compromise attacks and credential phishing to “deliver more sophisticated kill chains.” The attacks begin with credential phishing, and if successful, the hacker will then set up mailbox forwarding rules to monitor for financial transactions. 

The hacker then inserts an impersonation email into a previous, valid communication thread, to misdirect and steal money or data. Microsoft found hackers are primarily targeting the C-suite, as well as leveraging brand impersonation. 

The healthcare sector was the sixth-most targeted for BEC cyberattacks

“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMT,” researchers added. 

In total, the tech giant has blocked 1.6 billion URL-based email phishing threats. 

Lastly, web shell-based cyberattacks are also on the rise, with Microsoft detecting an average of 77,000 web shells and related artifacts on an average of 46,000 unique machines each month. 

Microsoft noted that by deploying strong authentication, organizations can reduce the risk of data breaches and the vast majority of identity attacks. Notably, password-less authentication options are best for both security and the user experience, such as an authenticator app. 

It’s also crucial for entities to ensure they have applied security patches for all internet-facing systems to prevent falling victims to these attacks. 

As noted in recent Department of Homeland Security alerts, hackers are actively exploiting known vulnerabilities, such as those found in Microsoft’s NetLogon and Pulse Secure VPNs. Both companies have repeatedly addressed these flaws, but some companies have failed to apply the software update or mitigation methods. 

Given the skill and persistence of hackers in 2020, entities should employ defense-in-depth security procedures – including educating employees on how to avoid falling victim. 

“While nation state attacks are often sophisticated or can deploy zero-day vulnerabilities to gain access to networks, defense-in-depth strategies and proactive monitoring can greatly reduce the actor’s dwell time on a network, potentially enabling disruption of their activities before they reach their goals,” researchers said. 

“Above and beyond enabling MFA, IT departments should prioritize steps to mitigate lateral movement by attackers; specifically, credential hygiene and network segmentation,” they concluded. “To limit the damage of data exfiltration, information rights management can be applied to files. Building protective controls into your network will raise the threshold for attackers, improving your organization’s ability to detect anomalous activity in the environment.”

Next Steps

Dig Deeper on Cybersecurity strategies