Incident trends report (October 2018 – April 2019)

The incident types we address are not new, and the corresponding guidance is readily accessible on the NCSC website and other platforms.

However, the combination of emerging trends and curated guidance, enhanced by unique NCSC analysis, presents specific and actionable recommendations.

With this knowledge, you should be able to assess your security measures and implement improvements as necessary.

The trends we observe are not limited to any specific adversary, as each attack method is widely employed by various cyber adversaries.

All recognized incident types have led to breaches in the UK, some of which have been quite significant.

We cover five key trends impacting UK organizations.

1. Office365

2. Ransomware

3. Phishing

4. Vulnerability Scanning

5. Supply Chain Attacks

Cloud services, especially Office 365, have emerged as primary targets in recent months.

Traditionally, on-premise IT systems were isolated from the internet, but the widespread transition to cloud services has rendered many enterprise systems vulnerable to internet-based threats. In many cases, these services are merely secured with a username and password.

Incident Trends

There has been an increasing attempt to guess user passwords using various tools and scripts, a trend that has become commonplace for Office 365 deployments.

Attacks can now occur at scale across the internet without needing a foothold in corporate networks. A successful login can provide access to sensitive corporate data across all Office 365 services, including SharePoint, Exchange, and linked third-party services in Azure AD.

Password Spraying

The most prevalent attack method affecting Office 365 is password spraying, which involves trying a small number of common passwords across multiple accounts over a sustained period. This tactic generally avoids triggering account lockouts, making it difficult for IT security teams to detect.

Typically, attackers are not targeting a specific account and can aim at multiple accounts within a single organization without raising security alarms.

Credential Stuffing

On a smaller scale, credential stuffing has also been identified. This method utilizes username and password pairs from leaked data to access other services like Office 365.

This tactic is challenging to identify in logs, as attackers may succeed with just one attempt if the stolen details match the user’s Office 365 credentials.

Attacker’s Goals

The objectives vary across different attack types.

Common aims include:

1. 
   

   Accessing Data and Inboxes

   This is often done with the intent of intellectual property theft or espionage.

2. 
   

   Using One Inbox to Enhance Credibility of Further Attacks

   This can target high-value individuals within the same organization or pivot to others through trusted contacts.

3. 
   

   Traditional Network Access

   This is achieved by reusing Office 365 credentials to access a corporate VPN service.

Since the WannaCry and NotPetya incidents in 2017, ransomware attacks targeting enterprise networks have risen significantly in both frequency and sophistication. Organizations of all sizes and across sectors, including industry, academia, and government, have become regular targets.

Ransomware disrupts organizations by preventing access to computers or data, typically through encryption of files and folders, leading to substantial operational interruptions and potentially devastating financial fallout, especially for businesses heavily reliant on technology.

Incident Trends

Historically, ransomware has been executed as standalone attacks. Now, attackers leverage network access to amplify the effects of ransomware.

Network access enables attackers to:

• Develop a profile of their victim and their capacity to pay.
• Locate system backups and critical systems to delete or encrypt, maximizing their impact.
• Identify and exfiltrate potentially valuable data.
• Ensure maximum encryption of organizational data.

Preventive measures against ransomware should include strategies that can hinder an attacker from gaining prior network access.

Ransomware Tools

Cybercrime botnets like Emotet, Dridex, and Trickbot are commonly employed as initial attack vectors before deploying ransomware. Additionally, penetration testing tools such as Cobalt Strike have also been observed in use.

Recent ransomware variants include Ryuk, LockerGoga, Bitpaymer, and Dharma. Often, identifying the initial points of compromise can be challenging, especially if the ransomware encrypts crucial evidence.

In many observed cases, NCSC found that ransomware traces back to trojanized documents sent via email, exploiting known vulnerabilities and macros in Microsoft Office files.

Ransomware can often be averted by adhering to best practices in enterprise security. We detail prevention strategies and recovery steps in our Ransomware guidance.

Your strategy should encompass:

1. Minimizing the Chance of Initial Malware Invasion

2. Consideration of URL Reputation Services

   Including those integrated within your web browser or offered by Internet service providers.

3. Implementation of Email Authentication

   Utilizing DMARC and DNS filtering products is highly advised. The NCSC also provides a Protective DNS service (PDNS) which prevents access to harmful sites hosting malware.

4. Complications in Executing Ransomware

5. Maintaining Tested Backups of Your Data

   It is critical that backups are secured offline to prevent modification or deletion by ransomware. Our Securing Bulk Data guidance highlights the importance of identifying vital data and reliable backup methods.

6. Effective Network Segmentation

   This makes it harder for malware to traverse a network and limits the impact of ransomware attacks. Detailed information can be found in the Cyber Security Design Principles, particularly section 5.1.

Phishing has emerged as the most commonly observed attack delivery mechanism in recent years, especially in recent months. The potential target pool is expansive, encompassing anyone with an email address.

Incident Trends

Specific tactics observed recently by the NCSC include:

• Targeting Office 365 Credentials – Users are often tricked into navigating to legitimate-looking login pages that solicit O365 credentials. More advanced attempts may prompt users for multi-factor authentication (MFA).
• Email Spoofing from Compromised Accounts – This approach frequently uses existing email threads or relationships to lend authenticity to spear-phishing attempts.
• Fake Login Pages – These pages are dynamically created and personalized, using real imagery from the victim’s Office 365 portal to enhance credibility.
• Utilizing Microsoft Services – Services like Azure or Office 365 Forms are employed to host fraudulent login pages, further obscuring legitimacy.

Vulnerability scanning is a prevalent reconnaissance technique used to identify open network ports, unpatched legacy software, and misconfigurations that may affect security.

Incident Trends

Attackers are increasingly identifying vulnerabilities in internet-facing services and deploying tested techniques or ‘exploits’ to capitalize on these weaknesses. This tactic increases the probability of successful attacks, often resulting in the bypassing of traditional intrusion prevention systems (IPS) and on-host security monitoring.

Once an attacker establishes a foothold on the edge of infrastructure, they will attempt to run further network scans and leverage stolen credentials to traverse deeper into the core network.

Further details on scanning techniques are documented by MITRE in their papers on Network Service Scanning and Exploiting Public-Facing Applications.

Threats stemming from service providers remain a substantial concern for enterprise networks.

Outsourcing, particularly of IT functions, can enable external parties to access and reconfigure enterprise services, thereby inheriting risks from other connected networks.

Outsourced services typically enjoy administrator-level access and use remote connections akin to those employed by attackers to blend in with legitimate traffic. This elevates the detection threshold for internal security operations teams.

Incident Trends

In recent months, there have been multiple cases of attackers exploiting provider connections to gain network access:

• NCSC’s publication on APT10
• The exploitation of Remote Management and Monitoring (RMM) tools to launch ransomware attacks, as detailed in a ZDNet report.
• The public revelation of a “sophisticated intrusion” at a major outsourced IT vendor, reported by Krebs on Security.

Supply chain security needs to be integrated into procurement practices for both products and services. Our Supply Chain guidance outlines twelve principles to assist organizations in maintaining effective control and oversight over their supply chains.

Organizations utilizing outsourced IT vendors should ensure that any remote administration interfaces deployed by those providers are secured, for instance, by using properly configured VPNs.

You must verify that your providers’ connection and administration methods comply with your organization’s security standards. Step should be taken to segment and segregate your networks, which can help contain threats if another client sharing the same service provider is compromised.

Segmentation can occur physically or logically via access control lists, network and computer virtualization, firewalls, and encryption techniques such as Internet Protocol Security. Additional guidance is available from our partners at the Australian Cyber Security Centre.

Document the remote interfaces and internal access utilized by your service provider to ensure complete revocation at the end of the contract. If they have installed services on your network, be certain that these can be entirely removed post-contract, as they may not receive ongoing maintenance or security updates once the provider is no longer involved.

If your supply chain incorporates cloud services, refer to our blog post on managing cloud-enabled product risks. Our Cloud Security Guidance will assist you in evaluating the protection of your data and connected services. Our Software as a Service (SaaS) security guidance offers evaluation strategies for the security of intended cloud-based applications.