The growing threat of cybercrime
Cybercrime, whether nation state sponsored or permitted, is a threat to national security. Cybercriminals are targeting and attacking all sectors of critical infrastructure, including healthcare and public health, information technology (IT), financial services, and energy sectors. Ransomware attacks are increasingly successful, crippling governments and businesses, and the profits from these attacks are soaring. The cybercrime supply chain, often created by criminal syndicates, continues to mature allowing anyone to buy the services needed to conduct malicious activity for financial gain or other nefarious purpose. Sophisticated cybercriminals are also still working for governments conducting espionage and training in the new battlefield.
One of the most popular attacks are identity and password/phising attacks where criminals try to get the targets personal information and sell these compromised credentials to third-parties. The number of sites offering these services has significantly increased in the past 12 months as well as volume of credentials and variety of phishing kits.
With no technical knowledge of how to conduct a cybercrime attack, an amateur threat actor can purchase a range of services to conduct their attacks with one click. Ransomware kits are one of the many types of attack kits designed to enable low-skill attackers to perform more sophisticated attacks. Nontechnical cybercriminals sign up with a ransomware affiliate where for 30% of the revenue, the affiliate network will supply the ransomware, recovery services, and payment services. The attacker then buys “loads” from a market and pushes the ransomware to the loads they purchased. They then sit back and collect their revenue.
Another popular cyberattack is Distributed denial of service (DDoS) attacks which are cheap and effective. DDos’ing is the intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers. It is very effective for unprotected sites and costs about $300 USD/month.
In addition to these cybercrime services, there are many more services for sale.
Ransomware and extortion
Ransomware and extortion is a high-profit, low-cost business which has a debilitating impact on targeted organizations, national security, economic security, and public health and safety. What started as simple single-PC ransomware has grown to include a variety of extortion techniques enabled by human intelligence and is affecting the networks of all types of organizations across the globe.
A ransomware and extortion attack involves a threat actor deploying malware that encrypts and exfiltrates data and then holds that data for a ransom, often demanding payment in cryptocurrency. Rather than just encrypting a victim’s files and requesting a ransom in exchange for the decryption key, the attackers also exfiltrate sensitive data before deploying the ransomware.
The business model for ransomware has effectively evolved into an intelligence operation; criminal actors perform research on their target victim to identify an optimal ransom demand. Once a criminal actor infiltrates a network, they may exfiltrate and study financial documents and insurance policies. They may also understand the penalties associated with local breach laws. The actors will then extort money from their victims, to not only unlock their systems, but also to prevent disclosure of the victim’s exfiltrated data to the public. After they’ve collected and analyzed this intelligence, the criminal actor will identify an “appropriate” ransom amount.
To counter ransomware, a global collaborative effort between the private sector, law enforcement, and government is necessary to reduce the profitability of this crime, make it more difficult to enter the ransomware market, and supply victims with effective tools for efficient prevention and remediation. Microsoft is a contributor to the Ransomware Task Force report, a comprehensive framework designed for taking action in combatting ransomware.
If a victim of a ransomware attack has cyber insurance, that carrier will employ certain service providers, including an incident response firm, a law firm, and an organization specializing in ransom negotiation. Even if a victim does not have a cyber insurance policy, these stakeholders are common to finding a resolution to the ransom.
Important details to be aware of when making the decision whether to pay ransoms:
- On average, organizations that paid the ransom got back only 65% of their data, with 29% getting back no more than half their data.
- Ransom decryptors are buggy and regularly fail to decrypt the largest, most critical data files (files 4 GB+ in size).
- Decrypting data files is a slow and laborintensive process, most customers decrypt only their most critical of data files and restore the rest from backup. • Restoring data does not undo any tampering performed by the attackers.
- Restoring data does not secure systems to prevent future attacks.
- Organizations must understand the legality of making payments in their country. Governments across the globe are instituting ransomware payment reporting requirements, may have penalties for payments that are made to sanctioned parties, and are considering laws that could make ransom payments illegal.
Check out Microsoft Digital Defense Report for more information about ransomware.
Phising and other malicious emails
Whether their goal is to phish credentials, redirect a wire transfer to their own bank account, or download malware onto a machine, attackers are most likely to utilize email as their initial entry vector for a campaign. Microsoft security researchers observe the following three most common types of malicious emails:
Phishing is the most common type of malicious email observed in our threat signals. These emails are designed to trick an individual into sharing sensitive information, such as usernames and passwords, with an attacker. To do this, attackers will craft emails using a variety of themes, such as productivity tools, password resets, or other notifications with a sense of urgency to lure a user to click on a link.
The phishing webpages used in these attacks may utilize malicious domains, such as those purchased and operated by the attacker, or compromised domains, where the attacker abuses a vulnerability in a legitimate website to host malicious content.
Malware delivery is another example of how threat actors utilize emails for their objectives. A variety of malware variants, such as Agent Tesla, IcedID, Trickbot, and Qakbot, use email as a primary method of distribution. These emails will use either links or attachments to deliver malware and many times use techniques that overlap with phishing emails. For example, both malware delivery email and phishing email may use links that direct to a CAPTCHA test to evade detection from security technologies.
One of the most common methods of malware delivery observed in the past year was through password-protected archive files. These emails contain archive files, such as ZIP attachments that are password protected, to prevent security technologies from detonating and analyzing them.
Business email compromise
While not the most prolific type of malicious email in terms of quantity, BEC has proven to be the most financially impactful type of cybercrime. 0 BEC occurs when an attacker pretends to be a legitimate business account—utilizing either a compromised email address, a lookalike domain they have registered, or a free email service such as Hotmail or Gmail—and sends emails designed to trick recipients into taking some financial action, handing over sensitive information, or providing assets, such as gift cards, to the attacker.
A much more sophisticated and financially damaging type of BEC is wire transfer fraud. In this type of BEC, actors will insert themselves into expected financial transactions and ask the recipient to adjust the bank account information on an outgoing wire transfer. The actors will masquerade as the intended recipient of the funds, so this does not seem out of the ordinary to the victim. Once the victim wires the money to the new account, it is withdrawn by the actors and may be difficult to retrieve.
For more information about malicious emails, check out Microsoft Digital Defense Report.
Malware and the cybercrime infrastructure that supports attacks has continued to evolve. There are key malware areas where Microsoft 365 Defender Threat Intelligence has observed changing trends in recent years, many of which require equal parts innovative defensive strategies and historically resilient mitigations such as multifactor authentication and robust application security practices.
Despite the wide range of outcomes such as ransom, data loss, credential theft, and espionage, most pieces of malware rely on similar strategies for establishing themselves in a network. Windows PowerShell launched by malicious processes with suspicious commands or encoded values was the most common behavior Microsoft observed from malware in recent months. The next most common were attempts by malware to rename payloads to mimic system processes or replace them entirely, and using malware to collect data such as credentials from browser caches. Other noteworthy behaviors and protection opportunities for security operation centers are the use of specific reconnaissance commands, processes being added to startup folders, scheduled task or registry alterations, and malicious process execution by abuse of Office documents.
Botnet as a term has been evolving as well. Historically it was used to refer to a network of computers completing tasks for an operator. However, now most malware families could potentially be classified as having botnet components or behaviors. As historically prevalent malware botnet infrastructures such as Trickbot and Emotet were disrupted, other malware families have replaced them. In their place, older botnets as well as a new class of evasive malware began delivering more severe secondary components at faster speeds.
SEO and malicious advertising
Search engine results and advertising are also an increasingly effective means of delivering malware to end users, both via abusing legitimate search engine optimization strategies and by utilizing existing infections to install browser extensions to modify search results and to surface illicit material attacker content. Information stealing, data exfiltration, and other areas of malware delivery can increasingly leverage browser modifications and search results to achieve their ends. This continues to solidify a class of malware leveraging the browser for delivery and exploit across both consumer and enterprise sectors.
Web shell is a piece of malicious code, often written in typical web development programming languages (such as ASP, PHP, or JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and steal data from a web server or use the server as a launch pad for further attacks against the affected organization. The escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. Once installed on a server, web shells serve as one of the most effective means of persistence in an enterprise.
Recommendations for malware prevention:
- Install security updates on all applications and operating systems promptly.
- Enable real-time protection through an antimalware solution, such as Microsoft Defender.
- Mitigate large attack vectors such as macro abuse, exposed edge services, insecure default configurations, legacy authentication, unsigned script types, and suspicious executions from certain file types delivered through email. Microsoft offers some of these larger mitigations through the use of attack surface reduction rules to prevent malware infection. Azure Active Directory users may also leverage security defaults to establish baseline authentication security for cloud environments.
- Enable Endpoint Detection and Response functionality to analyze and respond to threats based on individual behaviors and techniques proactively.
- Enable domain and IP-based protections on hosts as well as at network gateways, if possible, to ensure infrastructure-based coverage is complete.
- Turn on potentially unwanted applications (PUAs) protection. Many antimalware solutions may label initial access threats such as adware, torrent downloaders, RATs, and Remote Management Services (RMS) as PUA. Occasionally, these types of software may be disabled by default to prevent impact to an environment.
- Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events for logon type attributes. Highly privileged accounts should not be present on workstations.
- Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
- Educate users about malware threats, such as RATs, that can propagate through email as well as through web downloads and search engines.
Any domain used in the pursuit of cybercrime can be considered malicious. Malicious domains can be legitimate sites which have been compromised to enable criminals to host malicious content on subdomains, or they can be entirely fraudulent infrastructure set up for the commission of a crime. Cybercriminals use malicious domains for three primary functions: information transmission, location obfuscation, and building resiliency against those seeking to interfere with their criminal activities. Domains are used for data exfiltration, controlling ransomware communication, hosting phishing pages, and providing control to malware. They are also used as email domains to create visually identical imposter email aliases for deception. Fraudulent domains can use trademarks to deceive customers or provide a platform for fraud, such as fraudulent technical support sites.
A malicious domain is often used as a destination to which malware victims are directed. In this way, the domain both initiates the establishment of a communications channel with the victim and reveals the infected victim’s location. Knowing a victim’s location is important as cybercriminals use a myriad of methods to disseminate their malware but are unable to anticipate where it will ultimately be successfully downloaded.
Blockchain domains are an emerging threat outside of regulation. Over the last two years, the adaptation of blockchain technology has skyrocketed across many business verticals. Real-life applications of blockchain technology range from supply chain management, identity management, real estate contracts, and domain infrastructure.
Unlike traditional domains that are purchased through internet registrars operating through the ICANN-regulated DNS system, blockchain domains are not governed by any centralized body, limiting the opportunity for abuse reporting and enforcement disruptions.
Investigating blockchain domains provides a unique challenge because there is no central WHOIS registration database tracking who registered the domain and when.
The weakness in blockchain domains is the need for third-party proxy services or browser plug-ins to resolve blockchain domains to an IP. Disabling or blocking the blockchain proxy resolution services and disabling browser plug-ins will disable the ability for blockchain domain resolution. Many threat intelligence vendors provide malicious URL feeds, which sometimes include blockchain resolution proxies or the blockchain domain itself.
Adversarial machine learning
Machine learning (ML) is an artificial intelligence (AI) technique that can be used in numerous applications, including cybersecurity. In responsible ML innovation, data scientists and developers build, train, and deploy ML models to understand, protect, and control data and processes to build trusted solutions. However, adversaries can attack these ML-driven systems. The methods underpinning the production ML systems are systematically vulnerable to a new class of vulnerabilities across the ML supply chain collectively known as “adversarial ML.” Adversaries can exploit these vulnerabilities to manipulate AI systems and alter their behavior to serve a malicious end goal.
These attacks using Machine Learning can be used in various situations:
The prevalent use of AI and ML across industry sectors, an emerging regulatory landscape, and widespread mistrust or misunderstanding in the use of these technologies has led to an increased need for standards to define good practice and provide guidance to improve trust and market adoption. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are developing AI standards, including defining key terminology and concepts for AI and ML, risk management, governance implications, data quality, and various topics related to trustworthiness.