Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Microsoft Report: Cybersecurity's Top 3 Threats Intertwine

Botnets, ransomware, and simple attack methods dominate the threat landscape and build on each other to drive effectiveness.

Cybercrime is a business, and hackers are looking for cheap strategies to maximize impact and minimize cost. Simple attack methods are one of three key themes permeating version 23 of the Microsoft Security Intelligence Report, which was released today.

This edition of the biannual report spans enterprise and consumer cloud services, and analyzes the 400 billion emails, 450 billion authentications, and scans of 18+ billion webpages and 1.2 billion devices that Microsoft does each month. The three key topics are botnets, hacker tactics, and ransomware.

Interestingly, researchers point out, these three areas overlap with one another. Ransomware (along with Trojans and backdoors) was a common form of malware distributed by the Gamarue botnet, which Microsoft helped take down in 2017. The threat is also embedded in weaponized documents embedded in phishing emails, a simple and effective form of cyberattack.

Here, we dig into each of the threats Microsoft prioritized:

Bringing Down Botnets
Microsoft's Digital Crimes Unit (DCU) has been taking down botnets since the Conficker botnet disruption in 2008. In November 2017, it coordinated the takedown of the Gamarue botnet (also known as Andromeda), the culmination of an effort that started in December 2015.

The DCU, Windows Defender Security Intelligence Teams, and ESET teamed up to analyze the botnet, which involved researching more than 44,000 malware samples. Gamarue's command-and-control servers had 1,214 domains and IP addresses, 464 botnets, and 80+ related malware families.

Its primary goal is to distribute different several prevalent forms of malware. Since 2011, Gamarue had evolved through five versions of malware, including both Petya and Cerber ransomware, Kasidet malware, spambot Lethic, and info-stealing malware Ursnif, Carberp, and Fareit. Like many bots, it was sold as a crime kit on the cyber underground.

Their disruption caused Gamarue-infected devices to connect to a sinkhole; so far, infected devices from 23 million IP addresses have done so. The sinkhole has seen a 30% decrease in Gamarue victims around the world, but businesses should still be on guard. In January and February 2018, there were still 26 million infected devices connected to Gamarue.

"No harm will come to them because they're no longer part of the criminal infrastructure, but they're still connected," says Johnnie Konstantas, senior director of Microsoft's Enterprise Cybersecurity Group.

"There's money to be made in the renting and leasing of botnets themselves," says Konstantas. While all of Gamarue's command-and-control servers are disconnected, "you still have a lot of infected devices out there."

Easy, Effective Cyberattacks
It's tough to evade increasingly capable security tools, so hackers are turning to an easier and cheaper method: tricking people. They commonly use social engineering, legitimate software features, and poorly secured cloud applications to dupe users into falling for attacks.

Office 365 Advanced Threat Protection found phishing was the top threat vector for Office 365-based threats in the second half of 2017, at 53% of attacks. An attacker can spam a thousand people with a phishing campaign; only one needs to click for it to be effective. Three-quarters of emails contain malicious links, Konstantas points out.

"Phishing emails are becoming a lot more sophisticated," she says. "They've gone from offers that are ridiculous and too good to be true, to ones that are highly targeted."

In brand phishing schemes, for example, an attacker disguises the email to come from a popular company (Apple, Amazon, and Dropbox are common) to convince a target to click a malicious link. More advanced phishing emails factor in users' personal information to feign legitimacy. User impersonation techniques were low in volume but high in severity, Microsoft reports.

Researchers surveyed more than 30 cloud applications and found 79% of SaaS storage apps and 86% of software-as-a-service collaboration apps do not encrypt data at rest and in transit, leaving information exposed. Poor encryption could let an attacker compromise data after infecting an app; lack of Web security could let them execute application-layer attacks.

"You want encryption of data at rest and encryption of data in motion," Konstantas notes. If an employee is using corporate data in an unsecured cloud app, "that is vulnerable because it's not encrypted, and it's in the clear and potentially accessible in an unwarranted way."

From October through November 2017, hackers exploited Microsoft Windows Dynamic Data Exchange (DDE), a tool that enables the transfer of Office files using shared memory. A new form of Locky ransomware was delivered using DDE, an instance of attackers abusing legitimate software.

Raking in Ransom
Ransomware was everywhere in 2017 — in the Gamarue botnet, in phishing emails, in large-scale global attacks. The damage kicked off with WannaCry, which was soon followed by Petya/NotPetya and BadRabbit. Asia was hit with the most ransomware attacks, Microsoft says. The most common families were Win32/WannaCrypt, Win32/LockScreen, and Win32/Cerber.

"These are particularly insidious," says Konstantas. "What was also interesting about ransomware was, you had different types with different intents."

WannaCry, for example, was about collecting money. Petya/NotPetya was not. With the latter, encryption data wasn't even accessible by the bad actors so victims' data was effectively destroyed. It was less about making money than it was about disrupting governments.

Petya had a few different propagation mechanisms built in, she continues. The vulnerabilities existed a month before the outbreak happened, highlighting the importance of system updates. Konstantas also emphasizes the importance of backups for critical systems and data.

"You never really want to pay the ransom, and in some cases, like NotPetya, the data is destroyed anyway," she points out.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Early bird rates expire March 16. Use promo code 200KS for an extra $200 off. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...