Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Microsoft Report: Cybersecurity's Top 3 Threats Intertwine

Botnets, ransomware, and simple attack methods dominate the threat landscape and build on each other to drive effectiveness.

Cybercrime is a business, and hackers are looking for cheap strategies to maximize impact and minimize cost. Simple attack methods are one of three key themes permeating version 23 of the Microsoft Security Intelligence Report, which was released today.

This edition of the biannual report spans enterprise and consumer cloud services, and analyzes the 400 billion emails, 450 billion authentications, and scans of 18+ billion webpages and 1.2 billion devices that Microsoft does each month. The three key topics are botnets, hacker tactics, and ransomware.

Interestingly, researchers point out, these three areas overlap with one another. Ransomware (along with Trojans and backdoors) was a common form of malware distributed by the Gamarue botnet, which Microsoft helped take down in 2017. The threat is also embedded in weaponized documents embedded in phishing emails, a simple and effective form of cyberattack.

Here, we dig into each of the threats Microsoft prioritized:

Bringing Down Botnets
Microsoft's Digital Crimes Unit (DCU) has been taking down botnets since the Conficker botnet disruption in 2008. In November 2017, it coordinated the takedown of the Gamarue botnet (also known as Andromeda), the culmination of an effort that started in December 2015.

The DCU, Windows Defender Security Intelligence Teams, and ESET teamed up to analyze the botnet, which involved researching more than 44,000 malware samples. Gamarue's command-and-control servers had 1,214 domains and IP addresses, 464 botnets, and 80+ related malware families.

Its primary goal is to distribute different several prevalent forms of malware. Since 2011, Gamarue had evolved through five versions of malware, including both Petya and Cerber ransomware, Kasidet malware, spambot Lethic, and info-stealing malware Ursnif, Carberp, and Fareit. Like many bots, it was sold as a crime kit on the cyber underground.

Their disruption caused Gamarue-infected devices to connect to a sinkhole; so far, infected devices from 23 million IP addresses have done so. The sinkhole has seen a 30% decrease in Gamarue victims around the world, but businesses should still be on guard. In January and February 2018, there were still 26 million infected devices connected to Gamarue.

"No harm will come to them because they're no longer part of the criminal infrastructure, but they're still connected," says Johnnie Konstantas, senior director of Microsoft's Enterprise Cybersecurity Group.

"There's money to be made in the renting and leasing of botnets themselves," says Konstantas. While all of Gamarue's command-and-control servers are disconnected, "you still have a lot of infected devices out there."

Easy, Effective Cyberattacks
It's tough to evade increasingly capable security tools, so hackers are turning to an easier and cheaper method: tricking people. They commonly use social engineering, legitimate software features, and poorly secured cloud applications to dupe users into falling for attacks.

Office 365 Advanced Threat Protection found phishing was the top threat vector for Office 365-based threats in the second half of 2017, at 53% of attacks. An attacker can spam a thousand people with a phishing campaign; only one needs to click for it to be effective. Three-quarters of emails contain malicious links, Konstantas points out.

"Phishing emails are becoming a lot more sophisticated," she says. "They've gone from offers that are ridiculous and too good to be true, to ones that are highly targeted."

In brand phishing schemes, for example, an attacker disguises the email to come from a popular company (Apple, Amazon, and Dropbox are common) to convince a target to click a malicious link. More advanced phishing emails factor in users' personal information to feign legitimacy. User impersonation techniques were low in volume but high in severity, Microsoft reports.

Researchers surveyed more than 30 cloud applications and found 79% of SaaS storage apps and 86% of software-as-a-service collaboration apps do not encrypt data at rest and in transit, leaving information exposed. Poor encryption could let an attacker compromise data after infecting an app; lack of Web security could let them execute application-layer attacks.

"You want encryption of data at rest and encryption of data in motion," Konstantas notes. If an employee is using corporate data in an unsecured cloud app, "that is vulnerable because it's not encrypted, and it's in the clear and potentially accessible in an unwarranted way."

From October through November 2017, hackers exploited Microsoft Windows Dynamic Data Exchange (DDE), a tool that enables the transfer of Office files using shared memory. A new form of Locky ransomware was delivered using DDE, an instance of attackers abusing legitimate software.

Raking in Ransom
Ransomware was everywhere in 2017 — in the Gamarue botnet, in phishing emails, in large-scale global attacks. The damage kicked off with WannaCry, which was soon followed by Petya/NotPetya and BadRabbit. Asia was hit with the most ransomware attacks, Microsoft says. The most common families were Win32/WannaCrypt, Win32/LockScreen, and Win32/Cerber.

"These are particularly insidious," says Konstantas. "What was also interesting about ransomware was, you had different types with different intents."

WannaCry, for example, was about collecting money. Petya/NotPetya was not. With the latter, encryption data wasn't even accessible by the bad actors so victims' data was effectively destroyed. It was less about making money than it was about disrupting governments.

Petya had a few different propagation mechanisms built in, she continues. The vulnerabilities existed a month before the outbreak happened, highlighting the importance of system updates. Konstantas also emphasizes the importance of backups for critical systems and data.

"You never really want to pay the ransom, and in some cases, like NotPetya, the data is destroyed anyway," she points out.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Early bird rates expire March 16. Use promo code 200KS for an extra $200 off. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To...
PUBLISHED: 2021-04-13
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be rea...
PUBLISHED: 2021-04-13
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "...
PUBLISHED: 2021-04-13
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
PUBLISHED: 2021-04-13
Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts. This occurs in opportunistic circumstances when there is concurrent query exec...