Botnets, ransomware, and simple attack methods dominate the threat landscape and build on each other to drive effectiveness.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 15, 2018

5 Min Read

Cybercrime is a business, and hackers are looking for cheap strategies to maximize impact and minimize cost. Simple attack methods are one of three key themes permeating version 23 of the Microsoft Security Intelligence Report, which was released today.

This edition of the biannual report spans enterprise and consumer cloud services, and analyzes the 400 billion emails, 450 billion authentications, and scans of 18+ billion webpages and 1.2 billion devices that Microsoft does each month. The three key topics are botnets, hacker tactics, and ransomware.

Interestingly, researchers point out, these three areas overlap with one another. Ransomware (along with Trojans and backdoors) was a common form of malware distributed by the Gamarue botnet, which Microsoft helped take down in 2017. The threat is also embedded in weaponized documents embedded in phishing emails, a simple and effective form of cyberattack.

Here, we dig into each of the threats Microsoft prioritized:

Bringing Down Botnets
Microsoft's Digital Crimes Unit (DCU) has been taking down botnets since the Conficker botnet disruption in 2008. In November 2017, it coordinated the takedown of the Gamarue botnet (also known as Andromeda), the culmination of an effort that started in December 2015.

The DCU, Windows Defender Security Intelligence Teams, and ESET teamed up to analyze the botnet, which involved researching more than 44,000 malware samples. Gamarue's command-and-control servers had 1,214 domains and IP addresses, 464 botnets, and 80+ related malware families.

Its primary goal is to distribute different several prevalent forms of malware. Since 2011, Gamarue had evolved through five versions of malware, including both Petya and Cerber ransomware, Kasidet malware, spambot Lethic, and info-stealing malware Ursnif, Carberp, and Fareit. Like many bots, it was sold as a crime kit on the cyber underground.

Their disruption caused Gamarue-infected devices to connect to a sinkhole; so far, infected devices from 23 million IP addresses have done so. The sinkhole has seen a 30% decrease in Gamarue victims around the world, but businesses should still be on guard. In January and February 2018, there were still 26 million infected devices connected to Gamarue.

"No harm will come to them because they're no longer part of the criminal infrastructure, but they're still connected," says Johnnie Konstantas, senior director of Microsoft's Enterprise Cybersecurity Group.

"There's money to be made in the renting and leasing of botnets themselves," says Konstantas. While all of Gamarue's command-and-control servers are disconnected, "you still have a lot of infected devices out there."

Easy, Effective Cyberattacks
It's tough to evade increasingly capable security tools, so hackers are turning to an easier and cheaper method: tricking people. They commonly use social engineering, legitimate software features, and poorly secured cloud applications to dupe users into falling for attacks.

Office 365 Advanced Threat Protection found phishing was the top threat vector for Office 365-based threats in the second half of 2017, at 53% of attacks. An attacker can spam a thousand people with a phishing campaign; only one needs to click for it to be effective. Three-quarters of emails contain malicious links, Konstantas points out.

"Phishing emails are becoming a lot more sophisticated," she says. "They've gone from offers that are ridiculous and too good to be true, to ones that are highly targeted."

In brand phishing schemes, for example, an attacker disguises the email to come from a popular company (Apple, Amazon, and Dropbox are common) to convince a target to click a malicious link. More advanced phishing emails factor in users' personal information to feign legitimacy. User impersonation techniques were low in volume but high in severity, Microsoft reports.

Researchers surveyed more than 30 cloud applications and found 79% of SaaS storage apps and 86% of software-as-a-service collaboration apps do not encrypt data at rest and in transit, leaving information exposed. Poor encryption could let an attacker compromise data after infecting an app; lack of Web security could let them execute application-layer attacks.

"You want encryption of data at rest and encryption of data in motion," Konstantas notes. If an employee is using corporate data in an unsecured cloud app, "that is vulnerable because it's not encrypted, and it's in the clear and potentially accessible in an unwarranted way."

From October through November 2017, hackers exploited Microsoft Windows Dynamic Data Exchange (DDE), a tool that enables the transfer of Office files using shared memory. A new form of Locky ransomware was delivered using DDE, an instance of attackers abusing legitimate software.

Raking in Ransom
Ransomware was everywhere in 2017 — in the Gamarue botnet, in phishing emails, in large-scale global attacks. The damage kicked off with WannaCry, which was soon followed by Petya/NotPetya and BadRabbit. Asia was hit with the most ransomware attacks, Microsoft says. The most common families were Win32/WannaCrypt, Win32/LockScreen, and Win32/Cerber.

"These are particularly insidious," says Konstantas. "What was also interesting about ransomware was, you had different types with different intents."

WannaCry, for example, was about collecting money. Petya/NotPetya was not. With the latter, encryption data wasn't even accessible by the bad actors so victims' data was effectively destroyed. It was less about making money than it was about disrupting governments.

Petya had a few different propagation mechanisms built in, she continues. The vulnerabilities existed a month before the outbreak happened, highlighting the importance of system updates. Konstantas also emphasizes the importance of backups for critical systems and data.

"You never really want to pay the ransom, and in some cases, like NotPetya, the data is destroyed anyway," she points out.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Early bird rates expire March 16. Use promo code 200KS for an extra $200 off. Check out the security track here.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights