Cloud

8/17/2017
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Report: User Account Attacks Jumped 300% Since 2016

Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management, researchers found.

Microsoft researchers detected a 300% increase in user accounts attacked over the past year, and 44% growth in the number of account sign-ins attempted from malicious IP addresses.

The data comes from Microsoft's latest Security Intelligence Report (SIR) released today with data from Q1 2017, and discusses vulnerabilities, exploits, malware, and unwanted software. Intelligence comes from billions of security signals Microsoft processes in its consumer and enterprise services each month.

This report represents a couple of changes from the usual SIR. Data is split into two categories, cloud and endpoint, and represents a shorter timeframe of one financial quarter compared with the usual six-month window. Microsoft says it plans to share data on a more regular basis.

Here's a closer look at the findings, gathered by Microsoft's identity security and protection team:

Account compromise and cloud weaponization

With respect to the 300% jump in user account attacks, most were the result of weak, guessable passwords, followed by targeted phishing attacks and breaches of third-party services. As more sites are breached and passwords stolen, more attackers will attempt to reuse victims' credentials on multiple websites.

"One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites," the report states. Businesses can further cut their risk by telling users to adopt complex passwords, multi-factor authentication, and solutions for credential protection and risk-based conditional access.

The 44% spike in sign-in attempts from malicious IP addresses could be reduced with security policies focused on risk-based conditional access. Researchers suggest comparing requesting devices' IP addresses to a set of known IP addresses and trusted devices.

Attackers frequently compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning.

The Azure Security Center, which monitors for cloud weaponization, discovered 51% of outbound attacks involved communication with malicious IP addresses. Twenty-three percent were RDP brute force attacks, 19% were spam, 3.7% involved port scanning or sweeping, and 1.7% involved SSH brute force.

More than two-thirds of incoming attacks on Azure services came from IP addresses in China and the United States, at 35.1% and 32.5%, respectively. More than 89% of malicious IP addresses contacted by compromised Azure virtual machines were located in China; only 4.2% were located in the US.

Key business challenges in protecting against cloud attacks include mitigating unauthorized access to cloud accounts, and preventing attackers from using the cloud to gain a foothold, says Microsoft.

Global growth of ransomware

Ransomware attacks disproportionately hit customers in Europe compared with the rest of the world. In March 2017, targets included the Czech Republic (0.17%), Italy (0.14%), Hungary (0.14%), Spain (0.14%), Romania (0.13%), Croatia (0.13%), and Greece (0.12%), all of which had above-average ransomware rates for the month.

"Attackers evaluate several factors when determining what regions to target, including country GDP, average age of computer users and Bitcoin or available method of payment, among others," a Microsoft spokesperson said. "Language of a region is also a major component. Outcomes depend on an attacker’s ability to personalize a message to convince a user to click through or run a malicious file."

Ransomware overall is growing, as indicated by respondents in the Dark Reading Strategic Security Survey. Twenty-three respondents reported falling victim to ransomware, a slight uptick from 20% the year prior.

"The prevalence of ransomware attacks necessitates that all companies have playbooks detailing how their security teams will identify and respond to a ransomware incident in both their production and corporate environments," says Dr. Chris Pierson, CSO of Viewpost, adding how it's imperative to both create and practice plans.

"When looking at the ransomware response, we must move beyond AV to more anomaly-based controls that can identify and stop the mass encryption of various devices and servers," he adds. "We must also ensure the response includes the ability to stop lateral movement in the company," he says. Microsegmentation can help prevent this expansion.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Go phishing

Sites targeting online services made up the largest number of active phishing URLs during 1Q17. Those targeting financial institutions accounted for the second-largest share of attacks in Q1 and largest share of impressions for both February and March.

On a geographical level, countries hosting higher-than-average concentrations of phishing websites included Ukraine (13.2 per 1,000 hosts in March), South Africa (10.3), Indonesia (9.6), and Denmark (9.7). Regions with low concentrations included China (0.6), Taiwan (0.6), Korea (0.7), and Mexico (1.2).

A phishing study from Imperva discovered most attackers don't hesitate to click links or open documents. Most neglect to use sandboxes or anonymity services to cover their tracks, giving outsiders the ability to track them.

"Timely detection of the credential theft, either by the victim or by his organization, and taking measures to re-protect the account, in this case revoking the password, reduce dramatically the chances of the account being actually hacked," says Luda Lazar, cyber threat researcher at Imperva.

Malware impressions were more common than phishing impressions during Q1. There were 381 malware impressions per 1M pageviews in March, compared with 13.0 phishing attempts for the same amount of pageviews. Malware primarily affected Hungary, Egypt, and Indonesia.

China, which had a comparatively low concentration of phishing sites, had one of the highest levels of malware hosts, with 45.9 malware hosting websites per 1,000 hosts. Other hotspots for malware hosting included Singapore (21.6), Ukraine (19), and Hong Kong (18.9).

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sbuerger87
50%
50%
sbuerger87,
User Rank: Apprentice
8/25/2017 | 7:51:52 AM
Stricter password controls
It would be great if Microsoft would have better password complexity control options such as dictionary checking or checks against common passwords or similarity controls. I find it a bit ironic that they are the ones issuing this report.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.