Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/17/2017
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Report: User Account Attacks Jumped 300% Since 2016

Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management, researchers found.

Microsoft researchers detected a 300% increase in user accounts attacked over the past year, and 44% growth in the number of account sign-ins attempted from malicious IP addresses.

The data comes from Microsoft's latest Security Intelligence Report (SIR) released today with data from Q1 2017, and discusses vulnerabilities, exploits, malware, and unwanted software. Intelligence comes from billions of security signals Microsoft processes in its consumer and enterprise services each month.

This report represents a couple of changes from the usual SIR. Data is split into two categories, cloud and endpoint, and represents a shorter timeframe of one financial quarter compared with the usual six-month window. Microsoft says it plans to share data on a more regular basis.

Here's a closer look at the findings, gathered by Microsoft's identity security and protection team:

Account compromise and cloud weaponization

With respect to the 300% jump in user account attacks, most were the result of weak, guessable passwords, followed by targeted phishing attacks and breaches of third-party services. As more sites are breached and passwords stolen, more attackers will attempt to reuse victims' credentials on multiple websites.

"One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites," the report states. Businesses can further cut their risk by telling users to adopt complex passwords, multi-factor authentication, and solutions for credential protection and risk-based conditional access.

The 44% spike in sign-in attempts from malicious IP addresses could be reduced with security policies focused on risk-based conditional access. Researchers suggest comparing requesting devices' IP addresses to a set of known IP addresses and trusted devices.

Attackers frequently compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning.

The Azure Security Center, which monitors for cloud weaponization, discovered 51% of outbound attacks involved communication with malicious IP addresses. Twenty-three percent were RDP brute force attacks, 19% were spam, 3.7% involved port scanning or sweeping, and 1.7% involved SSH brute force.

More than two-thirds of incoming attacks on Azure services came from IP addresses in China and the United States, at 35.1% and 32.5%, respectively. More than 89% of malicious IP addresses contacted by compromised Azure virtual machines were located in China; only 4.2% were located in the US.

Key business challenges in protecting against cloud attacks include mitigating unauthorized access to cloud accounts, and preventing attackers from using the cloud to gain a foothold, says Microsoft.

Global growth of ransomware

Ransomware attacks disproportionately hit customers in Europe compared with the rest of the world. In March 2017, targets included the Czech Republic (0.17%), Italy (0.14%), Hungary (0.14%), Spain (0.14%), Romania (0.13%), Croatia (0.13%), and Greece (0.12%), all of which had above-average ransomware rates for the month.

"Attackers evaluate several factors when determining what regions to target, including country GDP, average age of computer users and Bitcoin or available method of payment, among others," a Microsoft spokesperson said. "Language of a region is also a major component. Outcomes depend on an attacker’s ability to personalize a message to convince a user to click through or run a malicious file."

Ransomware overall is growing, as indicated by respondents in the Dark Reading Strategic Security Survey. Twenty-three respondents reported falling victim to ransomware, a slight uptick from 20% the year prior.

"The prevalence of ransomware attacks necessitates that all companies have playbooks detailing how their security teams will identify and respond to a ransomware incident in both their production and corporate environments," says Dr. Chris Pierson, CSO of Viewpost, adding how it's imperative to both create and practice plans.

"When looking at the ransomware response, we must move beyond AV to more anomaly-based controls that can identify and stop the mass encryption of various devices and servers," he adds. "We must also ensure the response includes the ability to stop lateral movement in the company," he says. Microsegmentation can help prevent this expansion.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Go phishing

Sites targeting online services made up the largest number of active phishing URLs during 1Q17. Those targeting financial institutions accounted for the second-largest share of attacks in Q1 and largest share of impressions for both February and March.

On a geographical level, countries hosting higher-than-average concentrations of phishing websites included Ukraine (13.2 per 1,000 hosts in March), South Africa (10.3), Indonesia (9.6), and Denmark (9.7). Regions with low concentrations included China (0.6), Taiwan (0.6), Korea (0.7), and Mexico (1.2).

A phishing study from Imperva discovered most attackers don't hesitate to click links or open documents. Most neglect to use sandboxes or anonymity services to cover their tracks, giving outsiders the ability to track them.

"Timely detection of the credential theft, either by the victim or by his organization, and taking measures to re-protect the account, in this case revoking the password, reduce dramatically the chances of the account being actually hacked," says Luda Lazar, cyber threat researcher at Imperva.

Malware impressions were more common than phishing impressions during Q1. There were 381 malware impressions per 1M pageviews in March, compared with 13.0 phishing attempts for the same amount of pageviews. Malware primarily affected Hungary, Egypt, and Indonesia.

China, which had a comparatively low concentration of phishing sites, had one of the highest levels of malware hosts, with 45.9 malware hosting websites per 1,000 hosts. Other hotspots for malware hosting included Singapore (21.6), Ukraine (19), and Hong Kong (18.9).

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
sbuerger87
50%
50%
sbuerger87,
User Rank: Apprentice
8/25/2017 | 7:51:52 AM
Stricter password controls
It would be great if Microsoft would have better password complexity control options such as dictionary checking or checks against common passwords or similarity controls. I find it a bit ironic that they are the ones issuing this report.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.