Incident trends report (October 2018 – April 2019)

The types of incidents discussed are not new, and the guidance offered is easily accessible on the NCSC website as well as other platforms.

Nevertheless, the integration of trends and insights, coupled with unique analysis from the NCSC, presents actionable and targeted advice.

With this information, you can assess your security posture and make necessary improvements.

The trends are not specific to any single adversary, as each type of attack is employed by various cybercriminals.

All noted incident types have resulted in compromises within the UK, with some incidents being particularly severe in nature.

We analyze five primary trends affecting organizations in the UK:

1. Office 365

2. Ransomware

3. Phishing

4. Vulnerability Scanning

5. Supply Chain Attacks

Cloud services, and particularly Office 365, have emerged as frequent targets in recent months.

As traditional on-premise IT services isolated from the internet shift to cloud environments, the potential for internet-based attacks has increased significantly, with many enterprises exposed to such risks—sometimes relying solely on usernames and passwords for protection.

Incident Trends

Tools and scripts aimed at guessing user passwords have seen significant usage, becoming commonplace for Office 365 implementations.

Attacks can now be executed globally without breaching corporate infrastructure initially. A successful login can grant access to corporate data earmarked for all Office 365 services, including SharePoint and Exchange, alongside any third-party services linked to Azure AD.

Password Spraying

The prevalent attack method impacting Office 365 is password spraying, which involves attempting several commonly-used passwords across multiple accounts over extended periods. This method typically avoids triggering account lockdowns due to the failure threshold not being exceeded, making detection by IT security teams more challenging.

This tactic allows attackers to aim for numerous accounts within an organization without raising suspicion as they are not focused on any specific account.

Credential Stuffing

In addition, credential stuffing incidents have been reported, where attackers utilize usernames and passwords from compromised data sets to gain access to other services like Office 365.

Such attempts are hard to detect in logs, as a single successful login effort may suffice if the covered details match a user’s Office 365 account.

Attacker Goals

The motivations behind various attacks vary, and common objectives include:

1. 
   

   Accessing Data and Inboxes

   This usually aims at intellectual property theft or espionage.

2. 
   

   Enhancing Credibility for Further Attacks

   Attacks may seek to target high-value individuals within the organization or pivot to others via established contacts.

3. 
   

   Traditional Network Access

   This involves re-using Office 365 credentials to gain access to corporate VPN services.

Following the WannaCry and NotPetya incidents in 2017, ransomware attacks on enterprise networks have surged in both number and sophistication, affecting organizations of all sizes in various sectors.

Ransomware restricts access to computer systems or data, generally through encryption, resulting in significant operational disruption and considerable financial repercussions. This is particularly detrimental for organizations highly reliant on technology and automation.

Incident Trends

Historically, ransomware was delivered through standalone attacks; however, current trends show attackers leveraging their network access to maximize the impact of such incidents.

This network access allows attackers to:

• Understand their victim’s capacity to pay
• Identify crucial system backups for deletion or encryption to maximize disruption
• Steal potentially valuable data
• Seek to encrypt as much of the organization’s data as feasible

Preventing ransomware should involve implementing security measures stopping attackers from gaining initial network access.

Ransomware Tools

Cybercrime botnets like Emotet, Dridex, and Trickbot are often utilized as initial infection vectors, preceding the deployment of ransomware. Some instances have also leveraged penetration testing tools such as Cobalt Strike.

Recently, ransomware variants like Ryuk, LockerGoga, Bitpaymer, and Dharma have become widespread. Understanding the root cause of compromises can be challenging, particularly when ransomware encrypts potential sources for analysis.

Typical cases reported by the NCSC often originate from trojanized documents sent via email, exploiting publicly known vulnerabilities and macros in Microsoft Office files.

Ransomware can typically be prevented by adhering to security best practices. Details on preventing ransomware and addressing infections can be found in our Ransomware guidance.

Your strategy should include:

1. 
   

   Minimizing Initial Malware Access

2. 
   

   Consider URL Reputation Services

   This includes utilizing features integrated into web browsers or offered by Internet service providers.

3. 
   

   Implementing Email Authentication

   Employing DMARC and DNS filtering products is advised—alongside Nominet, the NCSC’s Protective DNS service (PDNS) helps prevent access to malicious sites.

4. 
   

   Making Ransomware Execution More Difficult

5. 
   

   Ensuring Robust Data Backup

   It’s crucial to maintain offline backups to prevent modification or deletion by ransomware. Our Securing Bulk Data guidance covers reliable data backup practices.

6. 
   

   Implementing Effective Network Segregation

   This can limit malware spread across networks and should be referenced in the Cyber Security Design Principles, particularly section 5.1.

Phishing has emerged as the most common attack delivery method noted in recent years, particularly in the past months. Almost anyone with an email address can fall victim.

Incident Trends

Recent practices identified by the NCSC include:

• Targeting Office 365 Credentials – This typically involves enticing users to follow links to seemingly legitimate login pages requesting O365 credentials. More advanced iterations may even prompt users to authenticate via MFA.
• Using Real, Compromised Email Accounts – Often, attackers exploit existing email threads to enhance the authenticity of spear phishing attempts.
• Creating Fake Login Pages – These pages are dynamically generated and personalized, mimicking real imagery from the victims’ Office 365 portals.
• Utilizing Microsoft Services – Services like Azure or Office 365 Forms can be used to host counterfeit login pages, enhancing their authenticity perception.

Vulnerability scanning serves as a common reconnaissance tactic for identifying exposed network ports, detecting unpatched or outdated software, and spotting misconfigurations that could threaten security.

Incident Trends

We have observed attackers targeting known vulnerabilities in internet-facing services using established techniques or “exploits”. This tactic increases the likelihood of successful initial attacks while reducing detection chances via traditional intrusion prevention and security monitoring systems.

After gaining a foothold on the periphery of an infrastructure, attackers typically conduct further network scans and repurpose stolen credentials to penetrate deeper into the core network.

For detailed discussions on these scanning techniques, refer to MITRE’s documents on Network Service Scanning and Exploiting Public Facing Applications.

Cyber threats introduced through service providers remain a significant concern for enterprises.

Outsourcing IT tasks often enables external parties to access and manipulate enterprise services, creating inherited risks from these connected networks.

Outsourced services can entail administrator access and remote connections that mimic the activity footprint of genuine attackers, complicating detection for internal Security Operations Center teams.

Incident Trends

In recent months, there are numerous instances of attackers exploiting service provider connections to infiltrate enterprise networks.

• NCSC’s publication on APT10
• Exploiting Remote Management and Monitoring (RMM) tools for ransomware deployment, as detailed by ZDNet
• The public disclosure of a “sophisticated intrusion” at a major outsourced IT vendor, as reported by Krebs on Security

Considerations for supply chain security are essential when acquiring products and services. Our Supply Chain guidance offers twelve principles to help organizations establish effective control and oversight of their supply chains.

When choosing outsourced IT providers, ensure that any remote administration interfaces they employ are secure, such as using a well-configured VPN.

Ensure that the provider’s access aligns with your organization’s security standards. Steps should be taken to segment and segregate your networks to reduce risks if another customer, customer data, or the provider itself is compromised.

Instantiating segmentations can be physical or logical, utilizing access control lists, virtualized networks, firewalls, and network encryption through methods like Internet Protocol Security. Additional detailed guidance is available from our partners at the Australian Cyber Security Centre.

Document remote interfaces and internal accesses utilized by service providers to ensure they are fully revoked post-contract. If they’ve set up services or software on your network, ensure these can be easily removed once their engagement ends, to maintain security post-departure.

For cloud service considerations, consult our blog on managing cloud-enabled product risks. Our Cloud Security Guidance assists in identifying whether a service suitably safeguards your data and connected services. Our SaaS security guidance supports the assessment of security for cloud-based applications you seek to utilize.