- cloud services (Office 365 in particular)
- vulnerability scanning
- supply chain attacks.
Cloud Services and Office 365 are Primary TargetsThe NCSC report highlights cloud services and Office 365 as the primary targets of the attackers. While traditional models of on-premise IT services were frequently isolated from the internet, the widescale move to cloud services has put the IT of many enterprises within reach of internet-based attacks. Worryingly enough, in some cases these services are only protected by a username and password. There has been a significant use of tools and scripts to try and guess users’ passwords. This has almost become the daily norm for Office 365 deployments. Attacks can now be mounted at scale across the internet without ever having a foothold within the corporate infrastructure. A successful login will give access to corporate data stored in all Office 365 services. The most common attack affecting Office 365 is password spraying, which attempts a small number of commonly used passwords against multiple accounts over a long period of time. In most cases, they aren’t after just one specific account as this method can target many accounts in one organization without raising any suspicions. On a smaller scale, NCSC has identified credential stuffing. This takes pairs of usernames and passwords from leaked data sets and tries them against other services. This is difficult to detect in logs as an attacker may only need a single attempt to successfully log in if the stolen details match those of the user's account. The report further suggests a few remediation strategies to prevent compromising Office 365 accounts, such as to update password policies to include multi-factor authentication, blocking or disabling legacy authentication protocols and establishing event logging and change monitoring to give insight into any attempted or successful breaches.
Ransomware Attacks on The RiseSince the WannaCry and NotPetya attacks of 2017, ransomware attacks against enterprise networks have continued to rise in number and sophistication. The NCSC report mentions that historically, ransomware was delivered as a standalone attack. But today, attackers are using their network access to maximize the impact of the ransomware attack. Cybercrime botnets such as Emotet, Dridex and Trickbot are commonly used as an initial infection vector, prior to retrieving and installing their ransomware payload. In fact, the eSentire Threat Intelligence report highlights that the global growth in botnet activity drove a 140% year-over-year increase in the number of cybersecurity incidents experienced by U.K. businesses. Ransomware such as Ryuk, LockerGoga, Bitpaymer and Dharma were seen to be prevalent in recent months. Cases observed in the NCSC report often tend to have resulted from an infected document sent via email. In most instances, notes the eSentire report, the infected documents detected were disguised as invoices or missed payment notifications that attempt to entice employees to download and execute a payload that can carry out further malicious objectives once inside a network. Defenses against ransomware should include security measures that can prevent an attacker gaining prior access to the network. Ransomware can usually be prevented by following enterprise security good practice, such as prioritizing the enterprise defenses against phishing attacks, using email authentication, having a well-tested backup and implementing effective network segmentation.
Phishing is the Most Prevalent Attack MethodAlthough the findings of the eSentire’s Threat Intelligence Spotlight report detail how U.K. businesses experienced a 20% decline in phishing in the past year, phishing remains the most prevalent attack delivery method seen over the last few years. An examination of observed phishing incidents, which includes the submission of credentials to an illegitimate site and clicking on phishing links, reveals that nearly 10 percent of U.K. businesses experienced a successful phishing incident in the last 12 months. Specific methods observed by the NCSC include:
- Targeting Office 365 credentials. The goal is to persuade users to follow links to legitimate-looking login pages, which prompt for Office 365 credentials. More advanced versions of this attack also prompt the user to use MFA.
- Sending emails from real, but compromised, email accounts. This approach will exploit an existing email thread or relationship to add a layer of authenticity to a spear phish.
- Fake login pages. These pages are dynamically generated and personalized, pulling the real imagery and artwork from the victim’s Office 365 portal.
- Using Microsoft services such as Azure or Office 365 Forms to host fake login pages. These attack vectors focus on the trust users have on the green padlock on the address bar as an added layer of authenticity.
Reconnaissance through Vulnerability ScanningNCSC report mentions that vulnerability scanning is a common reconnaissance method used to search for open network ports, identify unpatched legacy or otherwise vulnerable software and detect misconfigurations, which could affect security. Attackers identify known weaknesses in internet-facing service, which they then target using tested techniques or exploits. This approach means the attack is more likely to work, making its detection less likely when using traditional Intrusion Prevention Systems (IPS) and on-host security monitoring. Once an attacker has a foothold on the edge of your infrastructure, they will then attempt to run more network scans and re-use stolen credentials to pivot through to the core network. For vulnerability remediation, NCSC suggests ensuring that all internet-facing servers that an attacker might be able to find should be hardened and the software running on them be fully patched. NCSC also suggests implementing security logging to easily detect any attempted attack or change and minimizing the enterprise’s attack surface to reduce the impact of the compromise. They also recommend conducting penetration tests to determine what an attacker scanning for vulnerabilities could find and potentially attack.
Supply Chain AttacksThreats introduced to enterprise networks via their service providers continue to be a major problem according to the report. Outsourcing – particularly of IT – results in external parties and their own networks being able to access and even reconfigure enterprise services. Hence, the network will inherit the risk from these connected networks. NSCS report also gives several examples of attackers exploiting the connections of service providers to gain access to enterprise networks. These include APT10 group, which acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the United States. Other examples include the exploitation of Remote Management and Monitoring (RMM) tooling to deploy ransomware and the public disclosure of a “sophisticated intrusion” at a major outsourced IT vendor. Supply chain security should be a consideration when procuring both products and services. Recommended remediation strategies to prevent supply chain attacks are:
- Ensure that any remote administration interfaces used by outsourced service providers are secured.
- Ensure that the service provider meets the organization's security standards and policies.
- Take appropriate steps to segment and segregate the networks. This will help to contain the threat if another customer, who shares the same service provider (or the provider themselves) is compromised. Segmentation and segregation can be achieved physically or logically using access control lists, network and computer virtualization, firewalls and network encryption such as Internet Protocol Security.
- Document the remote interfaces and internal accesses in use by your service provider to ensure that they are fully revoked at the end of the contract.