Microsoft has published the new Digital Defense Report, and it reveals new types of cyber threats that target people around the world.
"Microsoft released a new annual report, Digital Defense Report, which looks at the cybersecurity trends of the past year. This report reveals that cyber attackers have become increasingly sophisticated over the past year, using techniques that make them harder to detect and threaten even the most experienced targets.
In addition to attacks becoming more sophisticated, threats show clear preferences for certain techniques, with notable shifts towards identity collection and ransomware, as well as an increasingly strong focus on Internet of Things (IoT) devices. Among the most significant statistics regarding these trends are the following:
- In 2019, more than 13 billion malicious and suspicious emails were blocked, of which more than 1 billion were URLs created with the explicit purpose of launching a phishing attack.
- Ransomware is the most common incident response trigger in businesses between October 2019 and July 2020.
- The most common attack techniques used by state actors over the past year are reconnaissance, identity collection, malware, and virtual private network (VPN) exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw a roughly 35% increase in total attack volume compared to the second half of 2019.
With attacks becoming increasingly sophisticated over the past year, it is more important than ever that all organizations, whether government agencies or businesses, invest in people and technology to stop attacks, and that people focus on the basics, such as regularly applying security updates, comprehensive backup policies, and enabling multi-factor authentication (MFA).
Tom Burt – Corporate Vice President, Customer Security & Trust, in a Microsoft blog post summarizes some of the most important ideas from this year's report, including suggestions for people and companies:
Criminal groups are developing their techniques
Criminal groups are skilled and ruthless. They have become adept at developing the techniques they apply to increase their success rate through different phishing techniques, adjusting the types of attacks they execute, or finding new ways to hide their activity.
Over the past few months, cybercriminals have applied their well-honed tactics and malware against human curiosity and the need for information. Attackers are opportunistic and change capture themes daily to align with news cycles, as seen in how they took advantage of the COVID-19 pandemic. While the overall volume of malware has been relatively constant over time, attackers have taken advantage of the global sense of concern and information flow associated with the pandemic. In recent months, the volume of phishing attacks related to COVID-19 has decreased. These campaigns were used to target consumers and specifically key industry sectors such as healthcare.
In recent years, cybercriminals have focused on malware attacks. More recently, they have focused their attention on phishing attacks (~70%) as a more direct means of achieving their goal of collecting people's identification data. To trick people into divulging their credentials, attackers often send emails impersonating top brands. Based on Office 365 telemetry, the top counterfeit brands used in these attacks are Microsoft, UPS, Amazon, Apple, and Zoom.
Additionally, there are attacks that are quickly morphed or modified to evade detection. Morphing is used in sending domains, email addresses, content templates and URL domains to increase the combination of variations to remain undetectable.
State actors change their goals
State actors have shifted their goals to align with evolving political goals in their countries of origin.
Microsoft observed sixteen state actors either targeting customers involved in global COVID-19 response efforts or using the crisis to expand their identity theft and malware delivery tactics. These COVID-related attacks targeted prominent government healthcare organizations to perform reconnaissance techniques on their networks or individuals. Academic and commercial organizations involved in research to create a vaccine were also targeted.
This trend may suggest that state actors targeted those involved in public policy and geopolitics, particularly those who could help shape official government policies. Last year, most state actor activity came from groups in Russia, Iran, China and North Korea.
Each state actor we track has its own preferred techniques, and the report details the techniques preferred by some of the most active criminal groups.
Ransomware – a growing major threat
Encrypted and lost files and threatening ransom notes have now become the primary concern for most management teams. Attack patterns demonstrate that cybercriminals know the times that will affect an organization's ability to make changes (eg patching) to harden their networks, such as holidays. They are aware of when there are business needs for which organizations will be more willing to pay ransoms than endure downtime, such as during billing cycles in the healthcare, finance and legal sectors.
Attackers have exploited the COVID-19 crisis to reduce their time on a victim's system – compromising, extracting data and, in some cases, executing ransomware attacks on the fly – apparently believing there would be an increased willingness to pay as a result of the outbreak. In some cases, cybercriminals went from initially breaking into the system to spreading ransomware throughout the network in less than 45 minutes.
Working from home presents new challenges
Traditional security policies at the perimeter of an organization have become much more difficult to enforce in a larger network consisting of home and other private networks and unmanaged connectivity assets. In a recent Microsoft survey, 73% of Chief Information Security Officers (CISOs) indicated that their organization had experienced sensitive data leaks and spills in the past 12 months and that they plan to spend more on risk technology from the inside, due to the COVID-19 pandemic.
The first half of 2020 saw an increase in brute-force identity attacks on enterprise accounts. This attack technique uses systematic guesswork, password lists, abandoned credentials from previous breaches, or other similar methods to force authentication into a device or service. Given the frequency of passwords being guessed, phished, stolen with malware, or reused, it's critical that people associate passwords with a second form of strong authentication. For organizations, enabling MFA is essential.”
