Incident trends report (October 2018 – April 2019)

The incident types examined in this report are not entirely novel, and the guidance provided can be accessed through the NCSC website as well as various other resources.

Nonetheless, the insightful combination of trends and recommended practices, supplemented by exclusive analysis from the NCSC, delivers specific and actionable advice.

With this valuable information, you should be able to assess your security stance and implement necessary enhancements.

The identified trends are not tied to specific adversaries; rather, a spectrum of cyber adversaries employs these types of attacks.

All mentioned incident types have led to notable compromises within the UK, some of which have been of significant concern.

In our examination, we focus on five key trends impacting UK organizations:

1. Office365

2. Ransomware

3. Phishing

4. Vulnerability Scanning

5. Supply Chain Attacks

Cloud services, and specifically Office 365, have emerged as prime targets in recent months.

Contrary to traditional on-premises IT models, which were often isolated from internet threats, the broad transition to cloud services has exposed many companies’ IT environments to internet-based attacks. In some scenarios, these services are only protected by basic credentials, such as username and password.

Incident Trends

There has been a notable rise in the use of tools and scripts that attempt to guess user passwords, with password attacks becoming a regular occurrence for Office 365 implementations.

Attacks can be launched at scale across the internet without needing any foothold within corporate networks. A successful login grants access to corporate data across all Office 365 services; for instance, both SharePoint and Exchange data can be compromised along with any third-party services linked to Azure AD.

Password Spraying

Password spraying is the predominant attack affecting Office 365, attempting a limited number of commonly used passwords against multiple accounts for extended periods. This method usually avoids triggering account lockouts, making it harder for IT security teams to detect.

Attackers typically aim for multiple accounts rather than a specific target, thereby reducing the chances of drawing attention through security alerts.

Credential Stuffing

On a lesser scale, we also note occurrences of credential stuffing, wherein leaked username-password pairs are tested against services like Office 365.

This detection is challenging since an attacker only needs to make one successful attempt to log in if the stolen credentials align with a user’s Office 365 account.

Attackers’ Goals

The objectives vary across the different scenarios faced.

Common aims include:

1. 
   

   Accessing Data and Inboxes

   This is often for purposes linked to intellectual property theft or espionage.

2. 
   

   Using One Inbox to Add Credibility to Further Attacks

   This targets key individuals within the organization or pivots to others through established relationships.

3. 
   

   Traditional Network Access

   By reusing Office 365 credentials against corporate VPN services.

Since the WannaCry and NotPetya attacks in 2017, there has been an increase in the number and sophistication of ransomware attacks targeting enterprise networks across all sectors including industry, academia, and government.

Ransomware restricts access to computers or data, primarily by encrypting files and folders, leading to substantial operational disruptions and potentially severe financial implications — particularly for businesses reliant on automation or technology.

Incident Trends

While ransomware has traditionally been delivered as a standalone threat, modern attackers leverage network access to amplify their impact.

Through network access, attackers are able to:

• Understand their victim’s profile and payment capacity.
• Identify and compromise critical backups or systems for maximum impact.
• Steal potentially valuable data.
• Ensure comprehensive encryption of the organization’s data.

To defend against ransomware, security measures must focus on preventing unauthorized network access.

Ransomware Tools

Cybercrime botnets like Emotet, Dridex, and Trickbot are frequently used as initial infection vectors before delivering ransomware. Tools like Cobalt Strike have also been observed.

Recent ransomware variants such as Ryuk, LockerGoga, Bitpaymer, and Dharma have become widespread. Identifying root causes can be complicated since the ransomware encrypts sources that could aid in analysis.

Notably, many incidents reported by the NCSC stem from trojanized documents sent via email, exploiting known vulnerabilities and macros within Microsoft Office documents.

Preventing ransomware typically requires adherence to best security practices. We outline preventative measures and response strategies in our Ransomware guidance, accessible here.

Your strategy should encompass:

1. 
   

   Minimizing the Risk of Initial Malware Infection

2. 
   

   Utilizing URL Reputation Services

   Including those embedded within your web browser and provided by Internet service providers.

3. 
   

   Implementing Email Authentication

   Employing DMARC and DNS filtering products is highly encouraged — in partnership with Nominet, the NCSC provides a Protective DNS service (PDNS) for governments to avert access to malicious sites hosting malware.

4. 
   

   Making Ransomware Deployment More Challenging

5. 
   

   Ensuring a Tested Backup of Your Data

   It is essential that your backup is offline to prevent modifications or deletions by ransomware. Our Securing Bulk Data guidance discusses identifying and reliably backing up your critical data.

6. 
   

   Effectively Segmenting Your Network

   This can limit the spread of malware across a network, thereby reducing the impact of ransomware attacks.

Phishing remains the most frequently utilized method for initiating attacks in recent years, especially in recent months.

Incident Trends

Notable methods identified by the NCSC include:

• Targeting Office 365 Credentials: Attackers attempt to redirect users to lookalike login pages that request O365 credentials, often prompting for MFA.
• Compromised Real Email Accounts: Using legitimate email threads adds authenticity to spear phishing attempts.
• Dynamic Fake Login Pages: Personalization using actual imagery from victims’ Office 365 portals raises the legitimacy of fakes.
• Using Microsoft Services: Fake login pages hosted via services like Azure or Office 365 Forms lend additional credibility through their URLs.

Vulnerability scanning serves as a frequent reconnaissance tactic, identifying open network ports, detecting unpatched or outdated software, and uncovering misconfigurations that compromise security.

Incident Trends

Attackers often locate known vulnerabilities in internet-facing services and target them using established exploits. This tactic increases the likelihood of a successful infiltration, avoiding detection by traditional intrusion prevention systems and host-based security monitoring.

Once attackers gain entry to your infrastructure, they typically conduct further scans and leverage stolen credentials to navigate deeper into your network.

Threats to enterprise networks introduced through their service providers persist as a significant concern.

Outsourcing, especially in IT, often leads to external parties being able to access and reconfigure internal enterprise services, thereby inheriting risks from connected networks.

Providers frequently have administrative access and utilize remote connections that resemble the strategies employed by attackers, complicating network defenses.

Incident Trends

Recent episodes highlight how attackers have exploited service provider connections to breach enterprise networks, including:

• NCSC’s report on APT10
• Exploiting RMM tools to deploy ransomware, as reported by ZDNet
• Disclosures regarding sophisticated intrusions at major outsourced IT vendors, highlighted by Krebs on Security

Security measures for the supply chain should be integral when acquiring products or services. Our Supply Chain guidance shares a set of 12 principles aimed at enabling organizations to effectively manage and oversee their supply chains.

For those utilizing outsourced IT providers, it is critical to secure remote administration interfaces, such as well-configured VPNs.

Ensure that the manner in which your provider connects to and administers your systems aligns with your organization’s security protocols. Establishing network segmentation and segregation helps to mitigate risks — if another client sharing the same service provider encounters a breach, this containment can protect your operations.

Segmentation may be achieved physically or logically through access control lists, network and computer virtualization, firewalls, and encryption techniques. Further guidance is available from our colleagues at the Australian Cyber Security Centre.

Document remote interfaces and internal accesses operated by your provider to ensure their revocation post-contract. If services or software have been installed on your network, ensure these can be removed safely post-contract, as maintenance and security updates may not continue after your relationship ends.

If your supply chain incorporates cloud services, consult our blog on cloud-enabled products. Our Cloud Security Guidance can help you assess whether a service adequately safeguards your data and services. Our SaaS security guidance will assist in evaluating the security of desired cloud applications.