This report offers a comprehensive analysis of prevalent incident trends observed in the UK across various sectors by the NCSC’s Incident Management Team in recent months.
For each incident type detailed, we also provide specific technical guidance on defensive measures and recovery strategies.
The findings outlined in this report span the period from October 2018 to April 2019.
Sources
The incident types discussed are not new, and the guidance provided is accessible on the NCSC website and through other resources.
However, the combination of identified trends and offered guidance, along with distinctive NCSC analysis, delivers targeted and practical advice.
With this information available, you should be able to assess your security posture and, if necessary, implement improvements.
Adversaries
The identified trends do not align with any particular adversary, as they encompass attack methods employed by various cyber adversaries.
All highlighted incident types have led to compromises within the UK, some of which are significant in nature.
Incidents and Their Mitigation
We explore five main trends impacting UK organizations.
1. Office365
2. Ransomware
3. Phishing
4. Vulnerability Scanning
5. Supply Chain Attacks
Office 365
Cloud services, particularly Office 365, have emerged as primary targets in recent months.
The shift from traditional self-hosted IT services to cloud solutions has placed many organizations at risk of internet-based attacks. In some instances, these services are safeguarded merely by a username and password.
Incident Trends
There has been an increase in the use of tools and scripts aimed at guessing user passwords, becoming almost routine for Office 365 deployments.
These attacks can be executed on a large scale from the internet without needing a presence inside the corporate infrastructure. A successful login will grant access to sensitive data stored across all Office 365 services, including SharePoint and Exchange, as well as linked third-party services.
Password Spraying
The most frequently encountered attack against Office 365 is password spraying, which tries a limited number of commonly used passwords across numerous accounts over extended periods. This approach typically avoids triggering account lockouts, complicating detection by IT security teams.
In most scenarios, attackers are not targeting a specific account, allowing them to aim at several accounts within an organization without raising suspicion.
Credential Stuffing
A smaller scale tactic observed includes credential stuffing, where leaked username and password pairs are tested against other services like Office 365.
This method is challenging to detect in logs, as attackers may succeed in just one attempt if their stolen credentials match an Office 365 account.
Attackers’ Goals
The objectives vary across the attacks we observe:
-
Accessing data and inboxes
This is often aimed at intellectual property theft or espionage.
-
Using one inbox to add credibility to onward attacks
This may target a high-value individual within the same organization or pivot to another via trusted contacts.
-
Traditional network access
This is achieved by reusing Office 365 credentials against a corporate VPN service.
Ransomware
Following the WannaCry and NotPetya attacks of 2017, the frequency and complexity of ransomware attacks on enterprise networks have risen. Organizations of all sizes and across various sectors are frequently targeted.
Ransomware typically disrupts normal operations by encrypting files and folders through network shares, leading to significant operational disruption and potentially crippling financial impacts, especially for businesses with high automation or technology dependency.
Incident Trends
In the past, ransomware attacks were often standalone events. Nowadays, attackers are employing their network access to amplify the effects of ransomware attacks.
Network access allows attackers to:
- Analyze their victims and assess their ability to pay.
- Identify system backups and critical systems for deletion or encryption to maximize impact.
- Theft of potentially sensitive data.
- Ensure comprehensive encryption of the organization’s data.
Defensive strategies against ransomware should prioritize preventing unauthorized network access.
Ransomware Tools
Common cybercrime botnets, including Emotet, Dridex, and Trickbot, serve as initial infection vectors before deploying ransomware. Penetration-testing tools like Cobalt Strike have also been utilized.
Recent ransomware variants such as Ryuk, LockerGoga, Bitpaymer, and Dharma have been notably widespread. Determining the root causes of previous compromises can be challenging, particularly when ransomware obscures analytical sources.
The NCSC has observed that many cases stemmed from trojan documents sent via email, exploiting known vulnerabilities and macros within Microsoft Office documents.
Ransomware Remediation
Ransomware incidents are often preventable by adhering to established cybersecurity best practices. Detailed guidance on prevention and response can be found in our Ransomware guidance.
Your plan should encompass:
-
Reducing the risk of initial malware reaching devices.
-
Utilizing URL reputation services.
This includes those integrated into web browsers and services provided by Internet providers.
-
Implementing email authentication.
Using DMARC and DNS filtering products is recommended. The NCSC also offers a Protective DNS service (PDNS) for government, aimed at preventing access to malicious sites.
-
Making it harder for ransomware to execute.
-
Ensuring reliable backups of your data.
It’s crucial that your backups remain offline to prevent modifications or deletions by ransomware. Our Securing Bulk Data guidance emphasizes the importance of identifying vital data and backing it up safely.
-
Effective network segregation.
This can inhibit malware from spreading and limit the impact of ransomware incidents. For more details, see the Cyber Security Design Principles.
Phishing
Phishing continues to be the most common attack delivery method seen in recent years, affecting virtually anyone with an email address.
Incident Trends
Recent tactics observed by the NCSC include:
- Targeting Office 365 credentials: Attackers persuade users to visit deceptive links leading to phishing pages that resemble legitimate login interfaces, with some even prompting for multi-factor authentication.
- Spear phishing from compromised email accounts: Attackers often initiate these attacks by exploiting existing email threads to appear more credible.
- Fake login pages: Dynamically generated and personalized, these pages pull legitimate imagery from the victim’s Office 365 portal.
- Using Microsoft services: Attackers leverage platforms like Azure or Office 365 Forms to host fake login pages, enhancing the appearance of legitimacy.
Vulnerability Scanning
Vulnerability scanning is a prevalent reconnaissance technique employed to uncover open network ports, identify outdated software, and detect misconfigurations that may impact security.
Incident Trends
Attackers have exploited known vulnerabilities in Internet-facing services, utilizing tried-and-true techniques to ensure attack success and reduce detection risks via traditional intrusion prevention systems and host security monitoring.
Once attackers gain a foothold, they often execute additional network scans and reuse stolen credentials to navigate deeper into the core infrastructure.
For further insights into these scanning techniques, see the MITRE documentation on Network Service Scanning and Exploiting Public-Facing Applications.
Supply Chain or Trusted Relationships
Threats introduced to enterprise networks via service providers remain a significant concern.
Outsourcing, particularly in IT, frequently allows external entities access to and even control over enterprise services, inheriting their networking risks.
Outsourced services often possess administrator access and utilize remote connections akin to those employed by attackers, complicating detection of malicious activities by internal security teams.
Incident Trends
There have recently been several instances of attackers leveraging service provider connections to infiltrate enterprise networks:
- NCSC’s publication on APT10
- Exploitation of Remote Management and Monitoring (RMM) tools to deploy ransomware, as highlighted by ZDNet
- Public revelation of a “sophisticated intrusion” at a prominent IT outsourcing vendor, as reported by Krebs on Security
Supply Chain or Trusted Relationships Remediation
Organizations should consider supply chain security when procuring products and services. Our Supply Chain guidance outlines 12 principles aimed at empowering organizations with effective control and oversight over their supply chains.
For businesses employing outsourced IT services, it’s crucial to secure any remote administration interfaces used by those service providers, such as by implementing well-configured VPNs.
Ensure that the connectivity and management method used by your provider aligns with your own security norms. Steps should be taken to segment and segregate networks to contain potential threats if other customers sharing the same service provider (or the provider themselves) face compromises.
Segmentation can be achieved physically or logically via access control lists, virtualization, firewalls, and encryption protocols such as Internet Protocol Security. Further detailed guidance is available through our partners at the Australian Cyber Security Centre.
Document all remote interfaces and internal accesses utilized by your service provider to ensure complete revocation at the end of the contract. Ensure that any installed services or software are easily removable, as they may not receive maintenance or patches once the service provider’s engagement ends.
If your supply chain management involves cloud services, consult our blog post on managing cloud-enabled product risks. Our Cloud Security Guidance offers insights on protecting data and connected services, while our SaaS security guidance aids in evaluating the safety of cloud applications you plan to use.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/report/incident-trends-report
