Incident trends report (October 2018 – April 2019)

The incident types examined are not novel, and there is readily available guidance on the NCSC website as well as from various other sources.

However, the combination of observed trends and the provided guidance, along with unique analyses from the NCSC, offers targeted and actionable recommendations.

With this information, you can evaluate your security posture and implement necessary improvements.

The identified trends are not limited to a specific adversary type, as various attacks are executed by a range of cyber adversaries.

All noted incident types have resulted in compromises within the UK, with some posing significant threats.

We discuss five principal trends impacting UK organizations.

1. Office 365

2. Ransomware

3. Phishing

4. Vulnerability Scanning

5. Supply Chain Attacks

Recent months have seen cloud services, especially Office 365, become highly targeted.

As traditional isolated IT models shift towards cloud services, many companies find their IT systems vulnerable to internet-based attacks, often protected merely by a username and password.

Incident Trends

There is noticeable usage of tools and scripts aimed at guessing users’ passwords, becoming a daily occurrence for Office 365 implementations.

Attackers can operate at scale over the Internet without establishing a foothold within corporate systems. A successful login can provide access to critical corporate data across Office 365 services.

Password Spraying

Password spraying is the primary attack method targeting Office 365, using a limited number of commonly used passwords across multiple accounts over extended periods, making it challenging for IT security teams to detect.

Credential Stuffing

On a smaller scale, there have been instances of credential stuffing, where pre-existing username and password pairs from data breaches are attempted against Office 365 accounts, making detection difficult as attackers may log in successfully with just one attempt.

Goals of Attackers

The objectives vary with each attack, often including:

1. 
   

   Accessing Data and Inboxes

   This typically aims at theft of intellectual property or espionage.

2. 
   

   Leveraging one Inbox for Further Attacks

   This could involve targeting a high-value individual within the same organization or moving laterally to another entity through trusted contacts.

3. 
   

   Traditional Network Access

   The re-use of Office 365 credentials for access through corporate VPN services.

Since the WannaCry and NotPetya incidents in 2017, there has been a rise in the number and sophistication of ransomware attacks against enterprises across different sectors.

Ransomware typically restricts organizations from accessing their systems or data by encrypting files, leading to significant operational disruption and severe financial implications, especially for tech-reliant businesses.

Incident Trends

In the past, ransomware appeared as standalone attacks. Now, attackers exploit their network access to enhance the impact of ransomware incidents.

This network access allows attackers to:

• Assess the victim’s ability to pay
• Identify system backups and crucial systems to either delete or encrypt for maximum disruption
• Steal potentially valuable data
• Encrypt as much of the organization’s data as possible

Defensive measures against ransomware should be implemented to prevent unauthorized access to the network.

Common Ransomware Tools

Cybercrime botnets (e.g., Emotet, Dridex, and Trickbot) are frequently utilized as infection vectors preceding ransomware deployment. Tools like Cobalt Strike have also been observed.

Ransomware variants such as Ryuk, LockerGoga, Bitpaymer, and Dharma are still common, often complicating the identification of the original compromise.

Notably, many ransomware incidents initiated from trojanized documents sent via email, exploiting publicly known vulnerabilities in Microsoft Office applications.

Preventive measures against ransomware can typically be achieved through established enterprise security practices. Details on prevention and response mechanisms to ransomware incidents can be found in our Ransomware guidance.

Your strategy should encompass:

1. Minimizing Initial Malware Exposure

2. Utilizing URL Reputation Services

   Utilizing built-in services from ISPs or browsers is encouraged.

3. Implementing Email Authentication

   Utilizing DMARC and DNS filtering products paired with Nominet’s Protective DNS service (PDNS) for government, helps to prevent access to malicious sites.

4. Complicating Ransomware Execution

5. Maintaining a Tested Data Backup

   Backup systems must be offline to avoid modification or deletion by ransomware. Our Securing Bulk Data guidance provides insights into backing up critical data reliably.

6. Effective Network Segregation

   This can limit the spread of malware across a network and mitigate ransomware impact. Refer to our Cyber Security design principles.

Phishing remains the most prevalent attack delivery method observed in recent years, targeting virtually anyone with an email account.

Incident Trends

Recent methods identified by the NCSC include:

• Office 365 Credential Targeting – Users are tricked into visiting legitimate-looking login pages, designed to capture their O365 credentials. Advanced variants also prompt for Multi-Factor Authentication (MFA).
• Real, Compromised Email Accounts – Attackers may exploit existing email threads or relationships to enhance authenticity in spear phishing attempts.
• Dynamically Generated Fake Login Pages – These mimic the aesthetics of the victim’s Office 365 portal.
• Utilizing Microsoft Services – Microsoft services like Azure or Office 365 Forms host fake login pages, adding a layer of legitimacy via their domain.

Vulnerability scanning is a widely used reconnaissance technique aimed at identifying open network ports and discovering unpatched software or misconfigurations that could affect security.

Incident Trends

We have noted attackers targeting publicly known vulnerabilities in internet-facing services using established techniques or exploits, increasing the likelihood of successful breaches.

Once attackers gain access, they often conduct network scans and utilize stolen credentials to navigate deeper into the core network.

For comprehensive details on scanning techniques, refer to MITRE’s documentation on Network Service Scanning and Exploiting Public Facing Applications.

External threats introduced to enterprise networks via connected service providers remain a significant concern.

Service outsourcing often results in third-party networks having access to and sometimes reconfiguring enterprise services, thus inheriting risks from these connections.

Remote administrative access via outsourced services amplifies risks, as these connections may match the operational footprints utilized by attackers, making detection by internal security teams more challenging.

Incident Trends

Recent months have witnessed incidents where attackers leverage connections to service providers for unauthorized enterprise access, including:

• NCSC report on APT10
• Using Remote Management and Monitoring tools for ransomware deployment, as detailed by ZDNet
• The “sophisticated intrusion” at a major IT outsourcing vendor, reported by Krebs on Security

When procuring products and services, supply chain security must be a central consideration. Our Supply Chain guidance outlines 12 principles to help organizations maintain control and oversight over their supply chains.

Organizations using outsourced IT services should safeguard remote administration interfaces, potentially through a well-configured VPN.

Ensuring that the connection methods utilized by service providers align with your organization’s security standards is crucial. Segregating networks will help contain threats if other customers or the provider themselves experience compromises.

Segregation can be implemented physically or logically through firewalls, network virtualization, and access control lists. For extensive guidance, refer to resources from our partners at the Australian Cyber Security Centre.

Documenting the remote interfaces and internal accesses of service providers is essential to ensure complete revocation at contract termination, particularly if services or software are installed on your network.

If cloud services form part of your supply chain, review our blog on managing cloud risks and our Cloud Security Guidance to evaluate data protection adequately.