Incident trends report (October 2018 – April 2019)

The incident types discussed are not novel, and guidance related to them can be found on the NCSC website and various other resources.

The unique combination of trends and expert analyses provided by NCSC offers practical and actionable advice.

Equipped with this information, organizations can evaluate their security measures and make necessary enhancements.

The trends highlighted are not specific to any singular adversary, as the attack methods have been widely utilized by a variety of cyber adversaries.

Each listed incident type has prompted compromises within the UK, some of which are noteworthy.

This report addresses five major trends impacting UK organizations:

1. Office365

2. Ransomware

3. Phishing

4. Vulnerability scanning

5. Supply chain attacks

In recent months, cloud services, particularly Office 365, have emerged as the primary target for attackers.

Unlike traditional on-premise IT services typically isolated from the internet, the shift towards cloud services has made many enterprise IT systems vulnerable to online attacks, often relying solely on username and passwords for protection.

Incident Trends

Recent reports indicate a significant increase in the use of tools and scripts aiming to brute-force user passwords, which has become a routine challenge for Office 365 deployments.

Attacks can be executed en masse across the internet without necessitating direct access to the corporate infrastructure. A successful login grants access to all Office 365 services, potentially compromising data in SharePoint, Exchange, and any related third-party services linked to Azure AD.

Password Spraying

One prevalent attack method is password spraying, which involves trying a limited set of commonly used passwords across multiple accounts over time. This strategy often circumvents account lockouts, making it more difficult for IT security teams to detect suspicious activity.

Most attackers target multiple accounts, thus minimizing the risk of drawing attention.

Credential Stuffing

On a less frequent basis, credential stuffing attacks are observed. This method involves exploiting pairs of usernames and passwords from leaked databases against various services, including Office 365.

Such attacks often go unnoticed, as attackers may require only one successful attempt if the stolen credentials align with a user’s Office 365 account.

Goals of Attackers

The attackers have varying motivations, typically aiming to:

Since the notorious WannaCry and NotPetya attacks in 2017, the frequency and sophistication of ransomware attacks targeting enterprise networks have surged, affecting organizations across all sectors.

Ransomware restricts user access to computers and data by encrypting files, leading to severe operational disruptions and potentially catastrophic financial implications, especially for technology-dependent businesses.

Incident Trends

Historically, ransomware operated as a standalone assault; however, modern attackers leverage their network access to amplify the impact of ransomware incidents.

When granted network access, attackers can:

• Assess the victim’s situation and payment capacity.
• Locate system backups and critical infrastructures to delete or encrypt for maximum impact.
• Identify and steal valuable data.
• Ensure the encryption of extensive organizational data.

Effective ransomware defenses should encompass security measures that block unauthorized access to networks.

Ransomware Tools

Cybercrime botnets such as Emotet, Dridex, and Trickbot are frequently employed as initial infection vectors prior to deploying ransomware. Additionally, some attackers use penetration testing tools like Cobalt Strike.

Numerous variants of ransomware, including Ryuk, LockerGoga, Bitpaymer, and Dharma, have seen significant activity recently, with challenges in tracing their root causes of compromise, especially when encryption obscures potential analyses.

Many incidents tracked by NCSC stem from trojanized documents sent via email, exploiting known vulnerabilities and macros in Microsoft Office files.

Effective ransomware prevention aligns with established enterprise security protocols. For guidance on prevention and response in case of infection, refer to our Ransomware guidance.

Your strategies should encompass:

1. Minimizing the chances of initial malware exposure

2. Implementing URL reputation services

   including those integrated into web browsers and offered by internet service providers.

3. Employing email authentication mechanisms

   Utilizing DMARC and DNS filtering is advised, along with Nominet’s Protective DNS service (PDNS) for government, which aids in blocking access to malicious sites hosting malware.

4. Restricting ransomware execution capabilities

5. Maintaining a tested data backup

   Ensure that backups are offline to prevent modification or deletion by ransomware. Our Securing Bulk Data guidance highlights the significance of recognizing and reliably backing up critical data.

6. Implementing effective network segmentation

   This approach can impede malware propagation across networks, curtailing ransom impact. More details can be found in the Cyber security design principles, particularly in section 5.1. The Preventing lateral movement guidance is also beneficial.

Phishing remains the most widespread attack method observed in recent years, particularly lately. Nearly everyone with an email address is susceptible.

Incident Trends

Recently, the NCSC has spotted several specific tactics:

• Targeting Office 365 credentials: This tactic lures users into providing their credentials via legitimate-looking login pages. Advanced versions also prompt users for MFA.
• Utilizing compromised email accounts: Attackers often exploit existing email threads to enhance authenticity in spear-phishing attempts.
• Create fake login pages: These pages are dynamically generated, personalized, and pull genuine imagery from the victim’s Office 365 portal.
• Using Microsoft services: Some phishing attempts utilize Azure or Office 365 Forms for hosting fake login pages, adding authenticity to the address bar.

Vulnerability scanning is a prevalent reconnaissance technique aimed at identifying open network ports, outdated or vulnerable software, and misconfigurations, all of which could jeopardize security.

Incident Trends

Attackers typically identify known vulnerabilities in publicly accessible services, then exploit those weaknesses with proven techniques to boost the likelihood of success and reduce detection risks with traditional IPS and monitoring systems.

After gaining initial access, attackers often perform further network scans and leverage stolen credentials to penetrate deeper into core networks.

Additional details on these scanning methods can be accessed through MITRE’s documentation on Network service scanning and Exploiting public-facing applications.

Threats arising from service providers’ connections continue to pose significant challenges to enterprise networks.

Outsourcing IT functions often grants external entities access to enterprise services, thereby inheriting risks associated with those connected networks.

Third-party services typically possess administrative access that utilizes tools bearing resemblance to those used by attackers, increasing detection difficulties for internal security operations teams.

Incident Trends

Several recent occasions have seen attackers capitalize on service provider connections to infiltrate enterprise networks:

• NCSC’s publication on APT10
• Using Remote Management and Monitoring (RMM) tools to deploy ransomware, as noted by ZDNet
• A “sophisticated intrusion” into a major outsourced IT vendor, outlined in a Krebs on Security article.

Organizations should prioritize supply chain security while procuring products and services. Our Supply Chain guidance presents a set of 12 principles for fostering effective control over and oversight of supply chains.

Organizations engaging outsourced IT providers must ensure secure configurations of any remote administration tools utilized by the service providers, typically by employing well-configured VPN.

It’s critical to guarantee that service provider access aligns with your organization’s security standards. Implementing network segmentation and segregation helps contain threats posed by other clients of the same provider, should they face breaches.

Segmentation can be achieved through physical or logical means leveraging access control lists, virtualization, firewalls, and encryption, such as Internet Protocol Security. Our partners at the Australian Cyber Security Centre have provided detailed guidance.

It’s important to document remote access interfaces and internal access methods employed by service providers to ensure complete revocation post-contract. If services or software were installed on your network, ensure they can be securely removed once the provider’s engagement ends.

When utilizing cloud services within your supply chain, review our blog post on managing cloud-enabled product risks. The Cloud Security Guidance assists in determining the adequacy of data protection offered by such services. Similarly, our SaaS security guidance offers insights into evaluating the security of intended cloud-based applications.