Microsoft researchers detected a 300% increase in user accounts attacked over the past year, and 44% growth in the number of account sign-ins attempted from malicious IP addresses.
The data comes from Microsoft's latest Security Intelligence Report (SIR) released today with data from Q1 2017, and discusses vulnerabilities, exploits, malware, and unwanted software. Intelligence comes from billions of security signals Microsoft processes in its consumer and enterprise services each month.
This report represents a couple of changes from the usual SIR. Data is split into two categories, cloud and endpoint, and represents a shorter timeframe of one financial quarter compared with the usual six-month window. Microsoft says it plans to share data on a more regular basis.
Here's a closer look at the findings, gathered by Microsoft's identity security and protection team:
Account compromise and cloud weaponization
With respect to the 300% jump in user account attacks, most were the result of weak, guessable passwords, followed by targeted phishing attacks and breaches of third-party services. As more sites are breached and passwords stolen, more attackers will attempt to reuse victims' credentials on multiple websites.
"One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites," the report states. Businesses can further cut their risk by telling users to adopt complex passwords, multi-factor authentication, and solutions for credential protection and risk-based conditional access.
The 44% spike in sign-in attempts from malicious IP addresses could be reduced with security policies focused on risk-based conditional access. Researchers suggest comparing requesting devices' IP addresses to a set of known IP addresses and trusted devices.
Attackers frequently compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning.
The Azure Security Center, which monitors for cloud weaponization, discovered 51% of outbound attacks involved communication with malicious IP addresses. Twenty-three percent were RDP brute force attacks, 19% were spam, 3.7% involved port scanning or sweeping, and 1.7% involved SSH brute force.
More than two-thirds of incoming attacks on Azure services came from IP addresses in China and the United States, at 35.1% and 32.5%, respectively. More than 89% of malicious IP addresses contacted by compromised Azure virtual machines were located in China; only 4.2% were located in the US.
Key business challenges in protecting against cloud attacks include mitigating unauthorized access to cloud accounts, and preventing attackers from using the cloud to gain a foothold, says Microsoft.
Global growth of ransomware
Ransomware attacks disproportionately hit customers in Europe compared with the rest of the world. In March 2017, targets included the Czech Republic (0.17%), Italy (0.14%), Hungary (0.14%), Spain (0.14%), Romania (0.13%), Croatia (0.13%), and Greece (0.12%), all of which had above-average ransomware rates for the month.
"Attackers evaluate several factors when determining what regions to target, including country GDP, average age of computer users and Bitcoin or available method of payment, among others," a Microsoft spokesperson said. "Language of a region is also a major component. Outcomes depend on an attacker’s ability to personalize a message to convince a user to click through or run a malicious file."
Ransomware overall is growing, as indicated by respondents in the Dark Reading Strategic Security Survey. Twenty-three respondents reported falling victim to ransomware, a slight uptick from 20% the year prior.
"The prevalence of ransomware attacks necessitates that all companies have playbooks detailing how their security teams will identify and respond to a ransomware incident in both their production and corporate environments," says Dr. Chris Pierson, CSO of Viewpost, adding how it's imperative to both create and practice plans.
"When looking at the ransomware response, we must move beyond AV to more anomaly-based controls that can identify and stop the mass encryption of various devices and servers," he adds. "We must also ensure the response includes the ability to stop lateral movement in the company," he says. Microsegmentation can help prevent this expansion.
Sites targeting online services made up the largest number of active phishing URLs during 1Q17. Those targeting financial institutions accounted for the second-largest share of attacks in Q1 and largest share of impressions for both February and March.
On a geographical level, countries hosting higher-than-average concentrations of phishing websites included Ukraine (13.2 per 1,000 hosts in March), South Africa (10.3), Indonesia (9.6), and Denmark (9.7). Regions with low concentrations included China (0.6), Taiwan (0.6), Korea (0.7), and Mexico (1.2).
A phishing study from Imperva discovered most attackers don't hesitate to click links or open documents. Most neglect to use sandboxes or anonymity services to cover their tracks, giving outsiders the ability to track them.
"Timely detection of the credential theft, either by the victim or by his organization, and taking measures to re-protect the account, in this case revoking the password, reduce dramatically the chances of the account being actually hacked," says Luda Lazar, cyber threat researcher at Imperva.
Malware impressions were more common than phishing impressions during Q1. There were 381 malware impressions per 1M pageviews in March, compared with 13.0 phishing attempts for the same amount of pageviews. Malware primarily affected Hungary, Egypt, and Indonesia.
China, which had a comparatively low concentration of phishing sites, had one of the highest levels of malware hosts, with 45.9 malware hosting websites per 1,000 hosts. Other hotspots for malware hosting included Singapore (21.6), Ukraine (19), and Hong Kong (18.9).