Threat actors becoming vastly more sophisticated

Whether organised cyber criminal gangs or state-backed or -affiliated advanced persistent threat (APT) groups, threat actors have vastly increased their sophistication in the past 12 months, incorporating an arsenal of new techniques that makes spotting their attacks tougher and tougher for even the most hardened of defenders.

This is according to a new annual report released today by Microsoft, the Digital defense report, exploring some of the most pertinent cyber security trends of the past year.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyber space: that all organisations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA),” said Tom Burt, Microsoft corporate vice-president of customer security and trust, in a blog post.

“Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”

Among other things, the report details how APT groups are engaging in new reconnaissance techniques that heighten their chances of compromising important targets, while cyber criminal groups targeting businesses are increasingly taking to the cloud to hide among legitimate services, and others are coming up with innovative ways to scour the public internet for systems that might be vulnerable.

Threat actors have also demonstrated a clear preference for credential harvesting via phishing, and ransomware attacks in the past year – with ransomware being now being the most common reason for Microsoft’s security operation to launch an incident response engagement.

Ransomware attacks are clearly becoming more targeted and planned, according to the report data, with attack patterns demonstrating that cyber criminals know when there will be change freezes, such as public holidays, that will slow down an organisation’s ability to respond and harden their networks. Ransomware operators are also now clearly demonstrating they are well aware of the business needs of their targets, and what factors will induce them to pay up rather than incur a lengthy downtime, for example during a billing cycle.

Burt said that cyber criminals are becoming adept at evolving their techniques to enhance their chances of success, experimenting with new attack vectors and obfuscation techniques, and exploiting the fast-moving news agenda to switch up their lures. The Covid-19 pandemic in particular has given cyber criminals a golden opportunity to play on human curiosity and the need for information.

The report reveals how the pandemic has also played out in other ways, with remote workers more vulnerable outside of their organisations’ network perimeter, and the stratospheric take-up of web- and cloud-based apps making DDoS attacks suddenly much more dangerous.

Nation-state backed actors, meanwhile, are also evolving, switching their targets to align with the changing geopolitical goals of their paymasters. In the past, such groups had preferred to focus on vulnerabilities in critical national infrastructure (CNI), but Microsoft’s stats revealed that 90% of nation-state notifications were against other targets.

For example, it reported as many as 16 different state-backed groups targeting its customers that are involved in Covid-19 response, such as government bodies, healthcare targets, NGOs and academic institutions and scientific organisations working on vaccines. One thing that hasn’t changed is the origin of such groups, which are overwhelmingly operating out of China, Iran, North Korea and Russia.

Burt urged a “community approach” to cyber security moving forward, saying that even though Microsoft’s security work is extensive, even an organisation of its size can only make a small contribution to the overall picture.

“It requires policymakers, the business community, government agencies and, ultimately, individuals to make a real difference, and we can only have significant impact through shared information and partnerships,” he said.

“This is one of the reasons why we launched Microsoft’s Security intelligence report in 2005, and it’s one of the reasons why we’ve evolved that report into this new Digital defense report. We hope this contribution will help us all work together better to improve the security of the digital ecosystem.”