Cybercriminals continue to adapt their techniques in response to improving cyber defences. Ransomware poses a significant threat, with ransomware attacks increasing in scale and sophistication. Nation state actors have also begun incorporating ransomware into their arsenals. Cybercrime operations have become more complex and distributed. Attackers are also exploiting infrastructure like botnets and compromised business networks to host phishing campaigns and mining cryptocurrency covertly. The evolving phishing landscape and use of cybercrime services demonstrate how attackers are adapting to challenges. Overall, the threat landscape continues to grow more sophisticated as attackers refine their methods.
“AI is the new electricity” proclaims Andrew Ng, co-founder of Google Brain. Just as we need to know how to safely harness electricity, we also need to know how to securely employ AI to power our businesses. In some scenarios, the security of AI systems can impact human safety. On the flip side, AI can also be misused by cyber-adversaries and so we need to understand how to counter them.
This talk will provide food for thought in 3 areas:
Security of AI systems
Use of AI in cybersecurity
Malicious use of AI
The document discusses cybersecurity, artificial intelligence, and how AI can help improve cybersecurity. It notes that while organizations spend billions on cybersecurity, chief information security officers still feel highly exposed. Traditional security methods focus on preventing infiltration but are always one step behind evolving threats. The document argues that AI can help enforce cyber hygiene practices like least privilege to shrink the attack surface, making the problem more bounded and manageable compared to always chasing threats. It discusses how AI is well-suited for understanding intended application behavior based on established rules and data from good software.
The document discusses the results of an expert survey about future cyber attacks and IT security challenges in 2025. Experts predict that (1) attacks on the Internet of Things will increase, (2) next generation malware will be more sophisticated and precise, and (3) social engineering attacks targeting users will rise. To combat these threats, IT security needs to offer advanced artificial intelligence for quick response and automated detection of targeted attacks, as well as new authentication methods. Experts say the biggest challenges are users' lack of security awareness, exploding data volumes, lack of coordination against cybercrime, and fast technological changes like the IoT. Companies must increase security training and continuously improve automated data analysis and secure cloud solutions to ensure IT security
Artificial Intelligence and Machine Learning for CybersecurityDr David Probert
The talk discusses the application of artificial intelligence and machine learning to enterprise cybersecurity. The topics include self-learning, stochastic cellular automata, adaptive & self-organising systems and recursive Bayesian algorithms. The talk briefly surveys several cybersecurity companies including Darktrace, Logrhythm and Norse Corporation. There is also discussion of the application of AI and neural networks within the Banking sector for "Algorithmic Trading" during the last 10 to 20 years. These techniques are now highly relevant, and even ESSENTIAL, for the provision of real-time enterprise cybersecurity to complement traditional "signature" based anti-virus & firewall based solutions. The talk closes with the presentations for the future of Cybersecurity in 2020, 2025 and 2040 including reference to similar forecasts from both Business & Governments. The talk was given by Dr David Eric Probert at the East-West International Security Conference at the Melia Galgos Hotel in Madrid, Spain on the Tuesday 27th October 2015.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
This document provides an overview and introduction to the CIS Controls version 8. It acknowledges the volunteers that contribute to the CIS Controls and outlines the Creative Commons license. It also provides a brief description of the structure and implementation groups used for the controls. The main body of the document then details each of the 18 controls, providing the rationale, procedures, tools, and safeguards for implementing them.
Leveraging Generative AI to Accelerate Graph Innovation for National Security...Neo4j
Leveraging Generative AI to Accelerate Graph Innovation for National Security with Neo4j and AWS
Nick Miller, US Federal Team Lead, AWS Marketplace
Government agencies are undergoing digital transformation initiatives to deliver improved customer experiences. Generative AI is a promising technology that may accelerate this transformation for customers. Come hear how AWS and Neo4j are partnered to help government agencies more rapidly adopt and deliver the power and promise of emerging GenAI capabilities to government missions.
The Importance of Cybersecurity for Digital TransformationNUS-ISS
In the rapidly evolving landscape of digital transformation, the importance of cybersecurity cannot be overstated. As organizations embrace digital technologies to enhance their operations, innovate, and connect with customers in new and dynamic ways, they simultaneously become more vulnerable to cyber threats.
This talk will discuss the importance of having a well thought through approach in dealing with cybersecurity in the form of a strategy that lays out the various programmes and initiatives that will underpin a secure and resilient digital transformation journey. Not surprisingly, having a pool of well-trained cybersecurity personnel is one of the key ingredient in a cyber strategy as exemplified in Singapore's own national cybersecurity strategy.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
OT Security Architecture & Resilience: Designing for Security Successaccenture
The document summarizes key discussions and takeaways from an OT cybersecurity summit. It includes quotes and summaries from various sessions on topics like the importance of prioritizing cybersecurity, achieving cyber resilience through architecture, innovations and trends in OT networks, applying standards like IEC 62443, common resilience myths, centralizing OT security management, and the role of automation. The document encourages readers to review the on-demand content from the summit and contact the author's team if they have any other questions.
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Exploring Advanced API Security Techniques and Technologies
Sudhir Chepeni, Engineering and Product Leader
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Tools" gives an introduction to the various tools used in the industry for the purpose of cybersecurity. You get to know different kinds of security tools in today's IT world and how they protect us against cyber threats/attacks. The following tools are discussed in this tutorial:
- BluVector
- Bricata
- Cloud Defender
- Contrast Security
- Digital Guardian
- Intellicta
- Mantix4
- SecBI
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
I was invited to present a talk on "Artificial Intelligence for Cyber Security" for #GirlsInAIHack2021 by #TeenInAIFiji. It was my honor to be there and share my words with the participants and I wish all the participants the best wishes.
Girls from 25 counties aged 12-18 had participated in this Hackathon. They were using Hot Technologies like AI and ML to fight world problems to make good. The event was started on #InternationalWomensDay2021. Total of 1000 participations
500+ Mentors & Organizers
120+ International Speakers were part of it
You can watch it here - https://youtu.be/rhWyt68yuI0
If you want to invite me for a webinar or conference connect
mail: hello@priyanshuratnakar.com or priyanshuratnakar@protonmail.com
You can use the slides but give credit somewhere
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
Generative AI offers great opportunities for innovation in various industries. Hence, by adopting ISO/IEC 27032, you can enhance your cybersecurity resilience and efficiently address the risks associated with generative AI.
Amongst others, the webinar covers:
• AI & Privacy
• Generative AI, Models & Cybersecurity
• AI & ISO/IEC 27032
Presenters:
Christian Grafenauer
Anonymization expert, privacy engineer, data protection officer, LegalTech researcher (GDPR, Blockchain, AI) Christian Grafenauer is an accomplished privacy engineer, anonymization expert, and computer science specialist, currently serving as the project lead for anonymity assessments at techgdpr. With an extensive background as a senior architect in Blockchain for IBM and years of research in the field since 2013, Christian co-founded privacy by Blockchain design to explore the potential of Blockchain technology in revolutionizing privacy and internet infrastructure. As a dedicated advocate for integrating legal and computer science disciplines, Christian’s expertise in anonymization and GDPR compliance enables innovative AI applications, ensuring a seamless fusion of technology and governance, particularly in the realm of smart contracts. In his role at techgdpr, he supports technical compliance, Blockchain, and AI initiatives, along with anonymity assessments. Christian also represents consumer interests as a member of the national Blockchain and DTL standardization committee at din (German standardization institute) in ISO/TC 307.
Akin Johnson
Akin J. Johnson is a renowned Cybersecurity Expert, known for his expertise in protecting digital systems from potential threats. With over a decade of experience in the field, Akin has developed a deep understanding of the ever-evolving cyber landscape.
Akin is an advocate for cybersecurity awareness and frequently shares his knowledge through speaking engagements, workshops, and publications. He firmly believes in the importance of educating individuals and organizations on the best practices for safeguarding their digital assets.
Lucas Falivene
Lucas is a highly experienced cybersecurity professional with a solid base in business, information systems, information security, and cybersecurity policy-making. A former Fulbright scholar with a Master of Science degree in Information Security Policy and Management at Carnegie Mellon University (Highest distinction) and a Master's degree in Information Security at the University of Buenos Aires (Class rank 1st). Lucas has participated in several trainings conducted by the FBI, INTERPOL, OAS, and SEI/CERT as well as in the development of 4 cyber ISO national standards.
Date: July 26, 2023
YouTube Link: https://youtu.be/QPDcROniUcc
The document discusses definitions of cyber resilience from academic and industry sources. It finds that while definitions generally refer to withstanding and recovering from cyber threats, they differ in how they define the threats, who or what is resilient, and the core components of resilience. The document also analyzes the origins and practice of cyber resilience, finding it aims to manage inherent insecurity but responsibilities are unclear. It concludes that more research is needed on organizing for resilience across organizations and boundaries.
AI shows promise to help address challenges in cybersecurity by automating tasks, enhancing human abilities, and detecting complex patterns that humans cannot. However, developing effective AI solutions is difficult and requires expertise in both cybersecurity and data science. When evaluating AI products, organizations should consider factors like data and training requirements, error rates, integration with existing tools and processes, and potential new risks introduced. While AI may help alleviate strain on security teams, its use is still nascent, and human oversight will likely remain important.
This document outlines key elements to consider when developing an AI strategy, including defining the problem or opportunity, desired outcome, how AI can help achieve goals, required capabilities, metrics for measuring success, infrastructure needs, costs, and economic benefits. The strategy canvas provides a framework to plan an AI initiative from identifying the vision down to designing a solution.
The document provides an analysis of The Trade Desk (TTD) and recommends a neutral stance. It summarizes TTD's business model as a self-service platform for digital advertising and cites growth catalysts like digital transformation and a partnership with Walmart. However, it concludes that while TTD is fundamentally solid, its current valuation is unattractive compared to peers, making the risk/reward profile unfavorable. It recommends waiting for a 30%+ price pullback before increasing positions in TTD.
Overview of Artificial Intelligence in CybersecurityOlivier Busolini
If you are interested in understsanding a bit more the potential of Artifical Intelligence in Cybersecurity, you might want to have a look at this overview.
Written from my CISO -and non AI expert- point of view, for fellow security professional to navigate the AI hype, and (hopefully!) make better, informed decisions :-)
All feedback welcome !
This document discusses bolttech's goal of supercharging its tech-enabled ecosystem for embedded insurance. It provides an overview of bolttech's global insurance exchange platform that connects insurers, distributors, and customers, allowing partners to easily embed insurance. The summary highlights examples of bolttech collaborating with partners in Europe, such as developing device protection services for WINDTRE and embedding insurance into loyalty cards for Amplifon's hearing aid customers.
Microsoft Digital Defense Report 2022.pdfNirenj George
The document is Microsoft's 2022 Digital Defense Report which provides an overview of the cyber threat landscape based on Microsoft's data and insights from July 2021 through June 2022. It covers topics like the state of cybercrime, nation state threats, devices and infrastructure vulnerabilities, cyber influence operations, and cyber resilience. The introduction notes the significant increase in sophisticated cyberattacks by both cybercriminals and nation states, and the importance of cybersecurity best practices and partnerships to improve the security of the digital ecosystem.
Microsoft Digital Defense Executive Summary-2022Kevin Fream
Microsoft published its 2022 Digital Defense Report which analyzes the evolving cyber threat landscape. The report found that cybercriminals and nation state actors have increased the sophistication of their attacks, greatly impacting targets. Nation state actors are launching increasingly advanced cyberattacks to further strategic priorities, while cybercriminals act as sophisticated profit enterprises adapting their techniques. The conflict in Ukraine marked the beginning of a new era of hybrid warfare combining physical and digital attacks. The report provides insights into cybercrime trends, nation state threats, vulnerabilities in devices and infrastructure, influence operations, and improving cyber resilience.
MDDR_FINAL_2023_1004_Comprehensive and fullharis21044
This document is Microsoft's 2023 Digital Defense Report which provides insights into cybersecurity threats and recommendations for building resilience. It discusses how the threat landscape has evolved over the past year, with nation-state actors like Russia, China, Iran, and North Korea becoming more aggressive and sophisticated in their cyber attacks. Well-resourced cybercriminal groups are also growing and leveraging cybercrime services. The report emphasizes the need for public-private collaboration and innovation using AI to help counter these threats. It highlights Microsoft's unique security capabilities and partnerships to share threat intelligence and work towards digital peace through collective defense.
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...ijtsrd
In today’s dynamic and technologically advanced world, the Internet has become one of the most innovative and rapidly growing technologies. With its rise, it has also become vulnerable to a significant increase in occurrences of cyber attacks, with detrimental effects. Typically, these cyber attacks are targeted at accessing, manipulating, or damaging confidential data, extracting users money, or extorting an organization’s or user’s private information. Sensitive information, whether intellectual property, financial data, confidential information, or other forms of private data are exposed to unauthorized access or disclosure, which can have adverse consequences. Protecting data has become one of the greatest obstacles today as cyber attacks are constantly escalating. Along with the growth of internet services and the advancement of information technology, the importance of cybersecurity is crucial. Cybersecurity aims to ensure that the security interests of the company and users assets are protected and preserved against relevant cyber threats in the digital world. The data and confidentiality of computing assets pertaining to the network of an organization are protected by cybersecurity. This paper mainly focuses on threats and issues in cybersecurity facing modern technologies. It also focuses on the latest cybersecurity strategies and developments that are transforming the face of cybersecurity. Omkar Veerendra Nikhal "An Analytical Study on Attacks and Threats in Cyber Security and its Evolving Trends on Modern Technologies" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd38195.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/38195/an-analytical-study-on-attacks-and-threats-in-cyber-security-and-its-evolving-trends-on-modern-technologies/omkar-veerendra-nikhal
Dell Technologies provides cybersecurity solutions to help clients assess their security posture, define a cybersecurity strategy, implement security measures, and respond to and recover from attacks. The document discusses the growing threat landscape and common types of cyberattacks. It then outlines Dell's security methodology and portfolio of assessment, managed service, and product solutions to help clients define a strategy, implement controls, and respond to incidents. The solutions are meant to deliver outcomes like defined strategies, advanced protection, risk management and operational resilience.
The document provides a strategic overview of Ukraine's cyber threat landscape since the start of the Russia-Ukraine war in 2022 based on Cisco Talos' analysis. It finds that Ukraine faced a diverse set of cyber actors, including opportunistic cybercriminals, Russian state-sponsored groups like Gamaredon, and the pro-Russian hacktivist group Killnet that conducted DDoS attacks against NATO allies. Telemetry data from Cisco Secure Endpoint deployments in Ukraine revealed the top threats observed were related to web shell creation, PowerShell usage, and the increased use of the "Signed binary proxy execution using rundll32" technique by adversaries beginning in May 2022.
The document is the U.S. Department of Homeland Security's Cybersecurity Strategy from 2018 to 2023. It outlines the department's vision to improve national cybersecurity risk management by 2023 through increasing security across government and critical infrastructure networks, decreasing illicit cyber activity, improving responses to incidents, and fostering a more secure cyber ecosystem.
The strategy identifies five pillars to manage national cybersecurity risks: risk identification, vulnerability reduction, threat reduction, consequence mitigation, and enabling cybersecurity outcomes. Under these pillars, the department has seven goals, such as assessing evolving risks, protecting federal systems and critical infrastructure, preventing criminal cyber activity, responding to incidents, and strengthening the overall cyber ecosystem.
Cyberspace is rapidly transforming our lives – how we live, interact, govern and create value. With the JAM (Jan Dhan, Aadhaar and Mobile) trinity, India is at the forefront of global digital transformation. “Digital India” is being hailed as the world's largest technology led programme of its kind.
While internet, smartphones and modern information and
communication devices have been great force multipliers, endless connectivity and proliferation of IoT devices is giving rise to vulnerabilities, risks and concerns. Cyber security is today ranked among top threats by governments and corporates. Heightened concerns about data security and privacy have resulted in a spate of regulations in India and across the world. India is in the process of discussing and enacting its own comprehensive data security and privacy regulation, as well as vertical specific ones. Cyber security is an ecosystem where laws, organisations, skills, cooperation and
technical implementation would need to be in harmony to be
effective.
Overall, a robust regulatory framework based on global and
country-specific regulations, development of a holistic cyber
security eco-system (academia and industry as well as
entrepreneurial) and a coordinated global approach through
proactive cyber diplomacy would help to secure cyber space and promote confidence and trust of key stakeholders including
citizens, businesses, political and security leaders.
CII has been actively working in the cyber security space. The CII Task Force on Public Private Partnership for Security of the Cyber Space has been set up to bring about improvements in the legal framework to strengthen and maintain a safe cyberspace ecosystem by capacity building through education and training programmes. We would facilitate collaboration and cooperation between Government and Industry in the area of cyber security in general and protection of critical information infrastructure in particular, covering cyber threats, vulnerabilities, breaches, potential protective measures, and adoption of best practices.
Safeguarding the Digital Realm: The Importance of Cybersecurity
Introduction:
In our increasingly interconnected world, cybersecurity has emerged as a critical concern for individuals, organizations, and governments alike. The pervasive nature of technology and the rapid digitization of various sectors have brought about numerous benefits, but they have also introduced unprecedented risks and vulnerabilities. As cyber threats continue to evolve in sophistication and scale, it is crucial to understand the significance of cybersecurity and adopt effective measures to protect our digital infrastructure.
The Ever-Present Cyber Threat Landscape:
Cyberattacks come in various forms, including data breaches, malware infections, ransomware attacks, phishing scams, and more. The motives behind these attacks range from financial gain to espionage, activism, and even geopolitical warfare. The digital landscape is teeming with hackers, criminal syndicates, and state-sponsored actors who constantly seek to exploit vulnerabilities in computer systems and networks. The impact of successful cyberattacks can be devastating, causing financial losses, reputational damage, and compromising personal privacy.
Protecting Sensitive Data:
One of the primary objectives of cybersecurity is to safeguard sensitive information. This includes personal data, financial records, intellectual property, and classified government documents. Robust encryption algorithms, secure authentication protocols, and effective access controls are essential components of protecting data from unauthorized access. Additionally, data backup and disaster recovery strategies play a crucial role in ensuring that information remains intact and accessible even in the event of a breach.
Securing Critical Infrastructure:
Cybersecurity is not limited to protecting personal information or corporate data; it also extends to safeguarding critical infrastructure. Industries such as energy, transportation, healthcare, and finance heavily rely on interconnected networks to function effectively. A breach in these sectors could result in catastrophic consequences, ranging from power outages and disruptions in transportation systems to compromised patient records and financial instability. Consequently, robust cybersecurity measures must be implemented to protect these vital systems from malicious actors.
Building a Cyber-Resilient Culture:
While technological solutions play a significant role in cybersecurity, an equally important aspect is fostering a cyber-resilient culture. This involves educating individuals and organizations about the risks, promoting good cyber hygiene practices, and cultivating a mindset of vigilance. Regularly updating software, using strong and unique passwords, enabling multi-factor authentication, and being cautious of suspicious emails or links are some of the fundamental steps to bolster cybersecurity defenses. Organizations should prioritize employee training programs and e
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKSDaphne Smith
This document summarizes an empirical study on cyber security threats and attacks. It discusses recent trends in cyber attacks such as ransomware, advanced persistent threats, insider threats, malware, and botnets. It also examines vulnerabilities in critical infrastructure that can be exploited by attackers. The document provides examples of research analyzing specific cyber threats and vulnerabilities. It concludes that understanding cyber threats is important for protecting systems and networks, and that security policies and monitoring are needed to mitigate threats and safeguard systems.
_Cyberspace_ Security and Future Challenges in the Digital World.pdfmbmh111980
"Cyberspace: Security and Future Challenges in the Digital World" provides an insightful exploration of the evolving landscape of cybersecurity, examining current security measures and anticipating future challenges in an increasingly interconnected digital environment.
This document discusses how critical infrastructure is increasingly being targeted by cybercriminals and nation-states through cyber attacks. It notes that while most critical infrastructure operators have strong physical security, many lack comprehensive cybersecurity strategies. It advocates for privileged access management solutions to help secure critical infrastructure according to new regulations and guidelines. Such solutions can help prevent attackers from gaining privileged access and help contain threats by isolating and auditing privileged sessions.
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferAM Publications
Cyber security is a basic term used nowadays by each and everyone in the world. It is appropriate to know about cyber security as everything became digitized in our day-today life, because digital world is the place where cyber crimes emerge. Securing the information has become one of the biggest challenges in the present day. Various measures are taken in order to prevent these cyber crimes, though cyber security is still a very big concern. In this paper I have made a study on cyber security, how far cyber crimes are increasing and what are the threats we should be aware of.
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptabilityitnewsafrica
Pat Pather, Chief Executive Officer at Forensic Sciences Institute, delivered a presentation on Cyber Security Unchartered: Vigilance, Innovation and Adaptability- Exploring the Depths of Cybersecurity, at Public Sector Cybersecurity Summit 2023 on the 3rd of October 2023. #PublicSec2023 #Conference #Cybersecurity #PublicSector
Cyber attacks pose a serious threat to both private sector organizations and governments. Advanced persistent threats can stealthily infiltrate systems over long periods of time without detection. As more business is conducted virtually, cyber crime has become increasingly sophisticated and difficult to combat. In response, there is a growing need for cyber security professionals in India to protect the country's internet economy and users. Cyberfort Technologies offers several industry-driven cyber security courses and certifications to help develop skilled cyber security experts and meet this demand.
CYBERFORT Technologies seeks to impart quality Information Security programs that would equip Information Security professionals with the necessary tools and education to help them avert Cyber-crimes, Cyber espionage, Cyber terrorism and if the need arises, Cyber wars.
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONChristopherTHyatt
Artificial Intelligence (AI) fortifies cybersecurity by dynamically identifying and neutralizing cyber threats. With machine learning algorithms, AI analyzes patterns in real-time data, swiftly detecting anomalies and potential security breaches. This proactive approach enhances the overall defense mechanism, ensuring robust protection against evolving cyber threats in the ever-changing digital landscape.
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryCR Group
Cyber attacks involve compromising computer systems and networks to cause harm. The rise in cyber attacks has been driven by more people working remotely during the pandemic using unsecured networks, making systems easier to hack. Research shows that businesses are becoming more aware of cyber risks and are purchasing more cyber insurance as a result. Statistics show that cybercrime costs over $1 trillion globally each year and the average cost of a data breach for a business is over $3 million. Certain industries like healthcare, energy, and finance are particularly at risk of costly cyber attacks.
Right Choice Landscaping offers exceptional villa landscape maintenance servi...rightchoicelandscapi
"Right Choice Landscaping offers exceptional villa landscape maintenance services in Dubai. Our dedicated team ensures that your villa’s outdoor spaces are beautifully maintained, enhancing both the aesthetic appeal and the value of your property. We offer landscaping and Garden design services to commercial property owners and homeowners all over the UAE.
Mastering Web Design: Essential Principles and Techniques for Modern WebsiteswebOdoctor Inc
Dive into the dynamic world of web design with our comprehensive guide that covers everything from foundational principles to advanced techniques. Whether you're a beginner looking to understand the basics or a seasoned designer aiming to refine your skills, this article offers invaluable insights. Explore topics such as responsive design, user experience (UX) optimization, color theory, typography essentials, and the latest trends shaping the digital landscape. Gain practical knowledge and actionable tips to create visually appealing, functional, and user-friendly websites that stand out in today's competitive online environment. Perfect for designers, developers, and anyone passionate about crafting compelling web experiences, this guide equips you with the tools needed to elevate your web design proficiency to new heights.
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...Aditi Sh.
This comprehensive PDF explores the definition and fundamental core of housing neighborhoods, tracing the evolution of housing from prehistoric times 2.5 million years ago to the early 19th century Industrial Revolution. It delves into the various stages of housing development, highlighting key innovations, cultural influences, and technological advancements that shaped the way humans have built and inhabited homes throughout history. This document serves as an essential resource for understanding the dynamic history of human habitation and the ongoing transformation of housing neighborhoods.
Professional design drives turnover, return, and growth.
How to strengthen the power of design in your domain?
The key is to introduce, specialize, and organize critical capabilities.
Design capacity thus becomes a strategic advantage: valuable, unique, and organized.
Cases from construction, manufacturing, and servicing provide proof.
Achieve your ambition faster with our subject expertise.
Call on us for instruction, support, or execution.
Request a free quick scan* to start.
*) Ask for our conditions.
https://designimpulse.nl
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENGRostyslav Kasyanenko
The Ukrainian and German journalist Rostyslav Kasyanenko has dedicated himself to genealogical research and heraldry. Originally Ukrainian, now living in Munich (Bavaria) he working in Ukrainian Free University (Est. 1921) as archivist. Curator of Heraldic Teams, Member of Ukrainian Heraldry Society (UHS) R.Kasyanenko is Deviser of the Family and Municipal Coat of Arms and Author of the exhibition concept project: “Maritime flags and arms of the Black Sea countries vs. Mediterranean: what has changed in 175 years?”
Author of scientific articles (2023-24):
Parallels between the meaning of Symbol and Myth according to Hryhorii Skovoroda and heraldic systems
Heraldry as a marker of evolution of national identity in Ukraine and Slovakia: from the Princely era to the "Spring of Nations" (XI-XIX centuries)
Historical parallels in the formation of national awareness in Ukraine and Slovakia in modern times (1848-1992)
Proto-heraldry of Kievan Rus': dynastic symbols of the Princely era, and how does the Palatine Lion relate to this?
Symbols of the House of Romanovyches: the Bavarian influence in Ukrainian heraldry
Participant of Scientific Conferences (2023-24):
- XXХІІІ Heraldic Conference of the Ukrainian Heraldry Society, October 13, 2023, Lviv
- International Conference “Slovak-Ukrainian Relations in the Field of Language, Literature, and Culture in Slovakia and the Central European Space”, University of Prešov, Institute of Ukrainian Studies, Faculty of Arts, 18-20.10.2023
- International Conference „The Past, Present, and Future of Heraldry: Universality and Interdisciplinarity“, Vilnius, 12-13.06.24
- International Conference "Coats of Arms as Weapons – Heraldic Symbols in Political, Dynastic, Military, and Legal Conflicts of the Middle Ages and Early Modern Period”, Alfried Krupp Wissenschaftskolleg Greifswald.
According to the heraldist, he has worked with many heraldic artists over
the years. However, he developed the ideas for all the coats of arms himself, except for his own. The case of the Kasyanenko (from the Shovkoplias clan) family coat of arms — featuring an audacious Cossack riding a rhinoceros — deserves special attention. "After all, one could talk about one's own crest, just like one's ancestors, for an eternity," he says.
2. Contents
The data, insights and events in this report are
from July 2021 through June 2022 (Microsoft
fiscal year 2022), unless otherwise noted.
For the best experience viewing and
navigating this report, we recommend
using Adobe Reader, available as a free
download from the Adobe website.
Report Introduction 02
The State of Cybercrime 06
An overview of The State of Cybercrime 07
Introduction 08
Ransomware and extortion:
A nation-level threat 09
Ransomware insights from
front-line responders 14
Cybercrime-as-a-Service 18
The evolving phishing threat landscape 21
A timeline of botnet disruption from
Microsoft’s early days of collaboration 25
Cybercriminal abuse of infrastructure 26
Is hacktivism here to stay? 28
Nation State Threats 30
An overview of Nation State Threats 31
Introduction 32
Background on nation state data 33
Sample of nation state actors and
their activities 34
The evolving threat landscape 35
The IT supply chain as a gateway
to the digital ecosystem 37
Rapid vulnerability exploitation 39
Russian state actors’ wartime cyber
tactics threaten Ukraine and beyond 41
China expanding global targeting
for competitive advantage 44
Iran growing increasingly aggressive
following power transition 46
North Korean cyber capabilities employed
to achieve regime’s three main goals 49
Cyber mercenaries threaten
the stability of cyberspace 52
Operationalising cybersecurity norms
for peace and security in cyberspace 53
Devices and Infrastructure 56
An overview of Devices and Infrastructure 57
Introduction 58
Governments acting to improve critical
infrastructure security and resilience 59
IoT and OT exposed: Trends and attacks 62
Supply chain and firmware hacking 65
Spotlight on firmware vulnerabilities 66
Reconnaissance-based OT attacks 68
Cyber Influence Operations 71
An overview of Cyber Influence Operations 72
Introduction 73
Trends in cyber influence operations 74
Influence operations during the COVID-19
pandemic and Russia’s invasion of Ukraine 76
Tracking the Russian Propaganda Index 78
Synthetic media 80
A holistic approach to protect
against cyber influence operations 83
Cyber Resilience 86
An overview of Cyber Resilience 87
Introduction 88
Cyber resiliency: A crucial
foundation of a connected society 89
The importance of modernising systems
and architecture 90
Basic security posture is a determining
factor in advanced solution effectiveness 92
Maintaining identity health is fundamental
to organisational well-being 93
Operating system default security settings 96
Software supply chain centrality 97
Building resilience to emerging DDoS,
web application and network attacks 98
Developing a balanced approach
to data security and cyber resiliency 101
Resilience to cyber influence operations:
The human dimension 102
Fortifying the human factor with skilling 103
Insights from our ransomware
elimination program 104
Act now on quantum security implications 105
Integrating business, security and
IT for greater resilience 106
The cyber resilience bell curve 108
Contributing Teams 110
01 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
3. Foreign actors are also using highly effective
techniques to enable propaganda influence
operations in regions around the globe, as
covered in the third chapter. For example,
Russia has worked hard to convince its citizens,
and the citizens of many other countries, that
its invasion of Ukraine was justified – while
also sowing propaganda discrediting COVID
vaccines in the West and simultaneously
promoting their effectiveness at home.
In addition, actors are increasingly targeting
Internet of Things (IoT) devices or Operational
Technology (OT) control devices as entry points
to networks and critical infrastructure which
is discussed in chapter four. Finally, in the last
chapter, we provide the insights and lessons
we have learned from over the past year
defending against attacks directed at Microsoft
and our customers as we review the year’s
developments in cyber resilience.
Each chapter provides the key lessons learned
and insights based on Microsoft’s unique
vantage point. The trillions of signals we analyse
from our worldwide ecosystem of products
and services reveal the ferocity, scope and scale
of digital threats across the globe. Microsoft is
taking action to defend our customers and
the digital ecosystem against these threats,
and you can read about our technology that
identifies and blocks billions of phishing
attempts, identity thefts and other threats to
our customers.
A snapshot of our landscape…
Scope and scale of
threat landscape
The volume of password
attacks has risen to an
estimated 921 attacks
every second – a 74%
increase in just one year.
Dismantling
cybercrime
To date, Microsoft
removed more than
10,000 domains used
by cybercriminals and
600 used by nation
state actors.
Addressing
vulnerabilities
93% of our ransomware
incident response
engagements revealed
insufficient controls on
privilege access and
lateral movement.
“The trillions of signals we analyse
from our worldwide ecosystem of
products and services reveal the
ferocity, scope and scale of digital
threats across the globe”
On February 23, 2022, the cybersecurity world
entered a new age, the age of the hybrid war.
On that day, hours before missiles were launched
and tanks rolled across borders, Russian actors
launched a massive destructive cyberattack
against Ukrainian government, technology and
financial sector targets. You can read more about
these attacks and the lessons to be learned
from them in the Nation State Threats chapter
of this third annual edition of the Microsoft
Digital Defence Report (MDDR). Key among
those lessons is that the cloud provides the best
physical and logical security against cyberattacks
and enables advances in threat intelligence and
end point protection that have proven their value
in Ukraine.
While any survey of the year’s developments in
cybersecurity must begin there, this year’s report
provides a deep dive into much more. In the
report’s first chapter, we focus on activities of
cybercriminals, followed by nation state threats in
chapter two. Both groups have greatly increased
the sophistication of their attacks which has
dramatically increased the impact of their actions.
While Russia drove headlines, Iranian actors
escalated their attacks following a transition
of presidential power, launching destructive
attacks targeting Israel and ransomware and
hack-and-leak operations targeting critical
infrastructure in the United States. China also
increased its espionage efforts in Southeast
Asia and elsewhere in the global south, seeking
to counter US influence and steal critical data
and information.
Introduction by Tom Burt
Corporate Vice President, Customer Security & Trust
02 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
4. The state of cybercrime
Cybercriminals continue to act as sophisticated
profit enterprises. Attackers are adapting and
finding new ways to implement their techniques,
increasing the complexity of how and where
they host campaign operation infrastructure.
At the same time, cybercriminals are becoming
more frugal. To lower their overhead and boost
the appearance of legitimacy, attackers are
compromising business networks and devices to
host phishing campaigns, malware or even use
their computing power to mine cryptocurrency.
Find out more on p6
Nation state threats
Nation state actors are launching increasingly
sophisticated cyberattacks designed to evade
detection and further their strategic priorities.
The advent of cyberweapon deployment in
the hybrid war in Ukraine is the dawn of a new
age of conflict. Russia has also supported its
war with information influence operations,
using propaganda to impact opinions in Russia,
Ukraine and globally. Outside Ukraine, nation
state actors have increased activity and have
begun using advancements in automation, cloud
infrastructure and remote access technologies to
attack a wider set of targets. Corporate IT supply
chains that enable access to ultimate targets
were frequently attacked. Cybersecurity hygiene
became even more critical as actors rapidly
exploited unpatched vulnerabilities, used
both sophisticated and brute force techniques
to steal credentials and obfuscated their
operations by using opensource or legitimate
software. In addition, Iran joins Russia in the
use of destructive cyberweapons, including
ransomware, as a staple of their attacks.
These developments require urgent adoption of
a consistent, global framework that prioritises
human rights and protects people from reckless
state behaviour online. All nations must work
together to implement norms and rules for
responsible state conduct.
Find out more on p30
Devices and infrastructure
The pandemic, coupled with rapid adoption
of internet-facing devices of all kinds as a
component of accelerating digital transformation,
has greatly increased the attack surface of our
digital world. As a result, cybercriminals and
nation states are quickly taking advantage.
While the security of IT hardware and software
has strengthened in recent years, the security of
IoT and OT devices security has not kept pace.
Threat actors are exploiting these devices to
establish access on networks and enable lateral
movement, to establish a foothold in a supply
chain or to disrupt the target organisation’s
OT operations.
Find out more on p56
We also use legal and technical means to
seize and shut down infrastructure used by
cybercriminals and nation state actors and notify
customers when they are being threatened
or attacked by a nation state actor. We work
to develop increasingly effective features
and services that use AI/ML technology to
identify and block cyber threats and security
professionals defend against and identify
cyber-intrusions more rapidly and effectively.
Perhaps most importantly, throughout the MDDR
we offer our best advice on the steps individuals,
organisations and enterprises can take to
defend against these increasing digital threats.
Adopting good cyber hygiene practices is the
best defence and can significantly reduce the risk
of cyberattacks.
Introduction by Tom Burt
Continued
‘The advent of
cyberweapon
deployment in
the hybrid war
in Ukraine is the
dawn of a new
age of conflict.’
03 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Cyber
Resilience
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Cyber
Resilience
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
5. 34.7 bn
identity threats
blocked
37 bn
email threats
blocked
2.5 bn
endpoint signals
analysed daily
43 tn
signals synthesised daily, using sophisticated
data analytics and AI algorithms to
understand and protect against digital threats
and criminal cyberactivity.
8,500+
engineers, researchers, data scientists,
cybersecurity experts, threat hunters,
geopolitical analysts, investigators and
frontline responders across 77 countries.
15,000+
partners in our security ecosystem who increase
cyber resilience for our customers.
Cyber resilience
Security is a key enabler of technological success.
Innovation and enhanced productivity can only
be achieved by introducing security measures
that make organisations as resilient as possible
against modern attacks. The pandemic has
challenged us at Microsoft to pivot our security
practices and technologies to protect our
employees wherever they work. This past year,
threat actors continued to take advantage of
vulnerabilities exposed during the pandemic
and the shift to a hybrid work environment.
Since then, our principal challenge has been
managing the prevalence and complexity of
various attack methods and increased nation
state activity. In this chapter, we detail the
challenges we have faced, and the defences
we have mobilised in response with our more
than 15,000 partners.
Find out more on p86
Our unique vantage point
July 1, 2021 through June 30, 2022
Introduction by Tom Burt
Continued
Cyber influence operations
Nation states are increasingly using sophisticated
influence operations to distribute propaganda
and impact public opinion both domestically and
internationally. These campaigns erode trust,
increase polarisation and threaten democratic
processes. Skilled Advanced Persistent
Manipulator actors are using traditional media
together with internet and social media to vastly
increase the scope, scale and efficiency of their
campaigns, and the outsized impact they are
having in the global information ecosystem.
In the past year, we have seen these operations
used as part of Russia’s hybrid war in Ukraine,
but have also seen Russia and other nations,
including China and Iran, increasingly deploy
propaganda operations powered by social media
to extend their global influence on a range
of issues.
Find out more on p71
04 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
6. We believe Microsoft – independently and
through close partnerships with others in
private industry, government and civil society
– has a responsibility to protect the digital
systems that underpin the social fabric of our
society and promote safe, secure computing
environments for every person, wherever they
are located. This responsibility is the reason we
have published the MDDR each year since 2020.
The report is the culmination of Microsoft’s
vast data and comprehensive research. It shares
our unique insights on how the digital threat
landscape is evolving and the crucial actions that
can be taken today to improve the security of
the ecosystem.
We hope to instil a sense of urgency, so readers
take immediate action based on the data and
insights we present both here and in our many
cybersecurity publications throughout the year.
As we consider the gravity of the threat to the
digital landscape – and its translation into the
physical world – it is important to remember that
we are all empowered to take action to protect
ourselves, our organisations and enterprises
against digital threats.
Introduction by Tom Burt
Continued Thank you for taking
the time to review
this year’s Microsoft
Digital Defence
Report. We hope
you will find that
it provides valuable
insight and
recommendations
to help us collectively
defend the digital
ecosystem.
Tom Burt
Corporate Vice President,
Customer Security & Trust
Our objective with this report is twofold:
1
To illuminate the evolving digital threat landscape for our customers,
partners and stakeholders spanning the broader ecosystem, shining
a light on both new cyberattacks and evolving trends in historically
persistent threats.
2
To empower our customers and partners to improve their cyber
resiliency and respond to these threats.
05 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
7. The State of
Cybercrime
As cyber defences improve and more organisations
are taking a proactive approach to prevention,
attackers are adapting their techniques.
An overview of The State of Cybercrime 07
Introduction 08
Ransomware and extortion:
A nation-level threat 09
Ransomware insights from
front-line responders 14
Cybercrime-as-a-Service 18
The evolving phishing threat landscape 21
A timeline of botnet disruption from
Microsoft’s early days of collaboration 25
Cybercriminal abuse of infrastructure 26
Is hacktivism here to stay? 28
06 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Cyber
Resilience
Cyber Influence
Operations
Devices and
Infrastructure
Nation State
Threats
Report
Introduction
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
Contributing
Teams
Cyber
Resilience
Cyber Influence
Operations
Devices and
Infrastructure
Nation State
Threats
Report
Introduction
8. An overview of
The State of Cybercrime
As cyber defences improve
and more organisations are
taking a proactive approach
to prevention, attackers are
adapting their techniques.
Cybercriminals continue to act as sophisticated
profit enterprises. Attackers are adapting and
finding new ways to implement their techniques,
increasing the complexity of how and where
they host campaign operation infrastructure.
At the same time, cybercriminals are becoming
more frugal. To lower their overhead and boost
the appearance of legitimacy, attackers are
compromising business networks and devices to
host phishing campaigns, malware or even use
their computing power to mine cryptocurrency.
The threat of ransomware and
extortion is becoming more
audacious with attacks targeting
governments, businesses and
critical infrastructure.
Human operated ransomware is most
prevalent, as one-third of targets
are successfully compromised by
criminals using these attacks and 5%
of those are ransomed.
Cybercrime continues to rise as the
industrialisation of the cybercrime
economy lowers the skill barrier to
entry by providing greater access to
tools and infrastructure.
Credential phishing
schemes which
indiscriminately target
all inboxes are on the
rise and business email
compromise, including
invoice fraud, poses a
significant cybercrime
risk for enterprises.
To disrupt the malicious
infrastructures
of cybercriminals
and nation state
actors, Microsoft
relies on innovative
legal approaches
and our public and
private partnerships.
Find out more on p9
Find out more on p18
Attackers increasingly threaten to
disclose sensitive data to encourage
ransom payments.
Find out more on p10
Find out more on p21
Find out more on p25
Find out more on p9
The RaaS operator develops and maintains the tools to
power the ransomware operations, including the builders
that produce the ransomware payloads and payment portals
for communicating with victims.
A RaaS program (or syndicate) is an arrangement between
an operator and an affiliate. The RaaS operator develops and
maintains the tools to power the ransomware operations,
including the builders that produce the ransomware
payloads and payment portals for communicating with
victims. Many RaaS programs incorporate a suite of
extortion support offerings, including leak site hosting and
integration into ransom notes, as well as decryption
negotiation, payment pressure, and cryptocurrency
transaction services.
Affiliates are generally small groups of people “affiliated”
with one or more RaaS programs. Their role is to deploy the
RaaS program payloads. Affiliates move laterally in the
network, persist on systems, and exfiltrate data. Each affiliate
has unique characteristics, such as different ways of doing
data exfiltration.
Access brokers sell network access to other cybercriminals,
or gain access themselves via malware campaigns, brute
force, or vulnerability exploitation. Access broker entities
can range from large to small. Top tier access brokers
specialize in high-value network access, while lower tier
brokers on the dark web might have just 1–2 usable stolen
credentials for sale.
Organizations and individuals with weak cybersecurity
hygiene practices are at greater risk of having their network
credentials stolen.
Operators
Access brokers
Understanding the ransomware economy
Affiliates
Conti
HIVE
Black
Matter
LockBit
REvil
BlackCat
falls victim to
a successful
ransomware event
are successfully
compromised
Access brokers sell access to
compromised networks to
Ransomware-as-a-Service
affiliates, who run the
ransomware attack
RaaS affiliates
prioritise targets by
intended impact or
perceived profit
Attackers take advantage
of any security weakness
they find in the network,
so attacks vary
The ransomware payload
is the culmination of a
chain of malicious activity
encounter activity
associated with known
ransomware attackers
potential target
organisations
1
20
60
2,500
Factors
Low barrier to entry
Human operated ransomware
targeting and rate of success model
p15
The most effective
defence against
ransomware
includes multifactor
authentication, frequent
security patches and
Zero Trust principles
across network
architecture.
Find out more on p13
Ransomware
Pre-ransomware
2022
BEC Themes (January-June 202
9.3%
1.9%
Gift card scam
Invoice
fraud
4.6%
Payroll
redirection
4.3%
Business
information
07 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
9. As cyber defences improve and more
governments and businesses take a proactive
approach to prevention, we see attackers using
two strategies to gain access required to facilitate
cybercrime. One approach is a campaign with
broad targets that relies on volume. The other
uses surveillance and more selective targeting to
increase the rate of return. Even when revenue
generation is not the objective – such as nation
state activity for geopolitical purposes – both
random and targeted attacks are used. This past
year, cybercriminals continued to rely on
social engineering and exploitation of topical
issues to maximise the success of campaigns.
For example, while COVID-themed phishing lures
were used less frequently, we observed lures
soliciting donations to support the citizens of
Ukraine increasing.
Attackers are adapting and finding new ways
to implement their techniques, increasing
the complexity of how and where they host
campaign operation infrastructure. We have
observed cybercriminals becoming more
frugal and attackers are no longer paying for
technology. To lower their overhead and boost
the appearance of legitimacy, some attackers
increasingly seek to compromise businesses to
host phishing campaigns, malware or even use
their computing power to mine cryptocurrency.
In this chapter, we also examine the rise in
hacktivism, a disruption caused by private citizens
conducting cyberattacks to further social or
political goals. Thousands of individuals around
the world, both experts and novices, have
mobilised since February 2022 to launch attacks
such as disabling websites and leaking stolen
data as part of the Russia-Ukraine war. It is too
soon to predict whether this trend will continue
after the end of active hostilities.
Organisations must regularly review and
strengthen access controls and implement
security strategies to defend against
cyberattacks. However, that is not all they can
do. We explain how our Digital Crimes Unit
(DCU) has used civil cases to seize malicious
infrastructure used by cybercriminals and nation
state actors. We must fight this threat together
through both public and private partnerships.
We hope that by sharing what we have learned
over the past 10 years, we will help others
understand and consider the proactive measures
they can take to protect themselves and the
wider ecosystem against the continually growing
threat of cybercrime.
Amy Hogan-Burney
General Manager, Digital Crimes Unit
Cybercrime continues
to rise, with increases
in both random and
targeted attacks.
Introduction
08 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
10. falls victim to
a successful
ransomware event
are successfully
compromised
Access brokers sell access to
compromised networks to
Ransomware-as-a-Service
affiliates, who run the
ransomware attack
RaaS affiliates
prioritise targets by
intended impact or
perceived profit
Attackers take advantage
of any security weakness
they find in the network,
so attacks vary
The ransomware payload
is the culmination of a
chain of malicious activity
encounter activity
associated with known
ransomware attackers
potential target
organisations
1
20
60
2,500
Factors
Low barrier to entry
Human operated ransomware
targeting and rate of success model
p15
• Also in May, an attack caused flight delays and
cancellations for one of India’s largest airlines,
leaving hundreds of passengers stranded.4
The success of these attacks and the extent of
their real-world impacts are the result of an
industrialisation of the cybercrime economy,
enabling access to tooling and infrastructure and
expanding cybercriminal capabilities by lowering
their skill barrier to entry.
In recent years, ransomware has moved from
a model where a single ‘gang’ would both
develop and distribute a ransomware payload
to the Ransomware as-a-Service (RaaS)
model. RaaS allows one group to manage the
development of the ransomware payload and
provide services for payment and extortion via
data leakage to other cybercriminals – the ones
who actually launch the ransomware attacks –
referred to as ‘affiliates’ for a cut of the profits.
This franchising of the cybercrime economy has
expanded the attacker pool. The industrialisation
of cybercriminal tooling has made it easier for
attackers to perform intrusions, exfiltrate data
and deploy ransomware.
Human operated ransomware5
– a term coined
by Microsoft researchers to describe threats
driven by humans who make decisions at every
stage of the attacks based on what they discover
in their target’s network and delineate the threat
from commodity ransomware attacks – remains
a significant threat to organisations.
Ransomware
and extortion:
A nation-level threat
Ransomware attacks pose an increased
danger to all individuals as critical
infrastructure, businesses of all sizes and
state and local governments are targeted
by criminals leveraging a growing
cybercriminal ecosystem.
Over the past two years, high profile ransomware
incidents – such as those involving critical
infrastructure, healthcare and IT service
providers – have drawn considerable public
attention. As ransomware attacks have become
more audacious in scope, their effects have
become more wide ranging. The following are
examples of attacks we’ve seen already in 2022:
• In February, an attack on two companies
affected the payment processing systems
of hundreds of petrol stations in northern
Germany.1
• In March, an attack against Greece’s postal
service temporarily disrupted mail delivery
and impacted the processing of financial
transactions.2
• In late May, a ransomware attack against Costa
Rican government agencies forced a national
emergency to be declared after hospitals were
shut down and customs and tax collection
disrupted.3
Model based on Microsoft Defender for Endpoint (EDR) data (January-June 2022).
09 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
11. Digital threat activity
is at an all-time
high and the level
of sophistication
increases every day.
Expanding relationships between specialised
cybercriminals have increased the pace,
sophistication and success of ransomware
attacks. This has driven the evolution of the
cybercriminal ecosystem into connected players
with different techniques, goals and skillsets that
support each other on initial access to targets,
payment services and decryption or publication
tools or sites.
Ransomware operators can now purchase access
to organisations or government networks online
or obtain credentials and access via interpersonal
relationships with brokers whose main objective
is solely to monetise the access they have gained.
The operators then use the purchased access to
deploy a ransomware payload bought via dark
web marketplaces or forums. In many cases,
negotiations with victims are conducted by
the RaaS team, not the operators themselves.
These criminal transactions are seamless and the
participants risk little chance of being arrested
and charged due to the anonymity of the dark
web and difficulty enforcing laws transnationally.
A sustainable and successful effort against
this threat will require a whole-of-government
strategy to be executed in close partnership with
the private sector.
Ransomware attacks have become even more
impactful as the adoption of a double extortion
monetisation strategy has become a standard
practice. This involves exfiltrating data from
compromised devices, encrypting the data on
the devices and then posting or threatening to
post the stolen data publicly to pressure victims
into paying a ransom.
Although most ransomware attackers
opportunistically deploy ransomware to
whatever network they get access, some
purchase access from other cybercriminals,
leveraging connections between access
brokers and ransomware operators.
Our unique breadth of signal
intelligence is gathered from multiple
sources – identity, email, endpoints
and cloud – and provides insight into
the growing ransomware economy,
complete with an affiliate system which
includes tools designed for
less technically-abled attackers.
Ransomware
and extortion:
A nation-level threat
Continued
10 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
12. Contrary to how ransomware is sometimes
portrayed in the media, it is rare for a single
ransomware variant to be managed by one
end-to-end ‘ransomware gang’. Instead, there
are separate entities that build malware, gain
access to victims, deploy ransomware and handle
extortion negotiations. The industrialisation of
the criminal ecosystem has led to:
• Access brokers that break in and hand off
access (Access-as-a-Service).
• Malware developers that sell tooling.
• Criminal operators and affiliates that
conduct intrusions.
• Encryption and extortion service
providers that take over monetisation
from affiliates (RaaS).
All human-operated ransomware campaigns
share common dependencies on security
weaknesses. Specifically, attackers usually
take advantage of an organisation’s poor
cyber hygiene, which often includes infrequent
patching and failure to implement multifactor
authentication (MFA).
The RaaS operator develops and maintains the tools to
power the ransomware operations, including the builders
that produce the ransomware payloads and payment portals
for communicating with victims.
A RaaS program (or syndicate) is an arrangement between
an operator and an affiliate. The RaaS operator develops and
maintains the tools to power the ransomware operations,
including the builders that produce the ransomware
payloads and payment portals for communicating with
victims. Many RaaS programs incorporate a suite of
extortion support offerings, including leak site hosting
and integration into ransom notes, as well as decryption
negotiation, payment pressure and cryptocurrency
transaction services.
Affiliates are generally small groups of people ‘affiliated’
with one or more RaaS programs. Their role is to deploy the
RaaS program payloads. Affiliates move laterally in the
network, persist on systems and exfiltrate data. Each affiliate
has unique characteristics, such as different ways of doing
data exfiltration.
Access brokers sell network access to other cybercriminals,
or gain access themselves via malware campaigns, brute
force or vulnerability exploitation. Access broker entities can
range from large to small. Top tier access brokers specialise
in high-value network access, while lower tier brokers on
the dark web might have just one-to-two usable stolen
credentials for sale.
Organisations and individuals with weak cybersecurity
hygiene practices are at greater risk of having their network
credentials stolen.
Operators
Access brokers
Understanding the ransomware economy
Affiliates
Conti
HIVE
Black
Matter
LockBit
REvil
BlackCat
11 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
13. Case study: The dissolution of Conti
Conti, one of the top ransomware variants
over the past two years, began shutting down
operations in mid-2022, with the Microsoft
Threat Intelligence Centre (MSTIC) observing
a significant decrease in activity in late March
and early April. We observed the last Conti
ransomware deployments in mid-April.
However, much like the shuttering of other
ransomware operations, Conti’s dissolution did
not have a significant impact on ransomware
deployments, as MSTIC observed Conti affiliates
pivoting to deploy other ransomware payloads,
including BlackBasta, Lockbit 2.0, LockbitBlack
and HIVE. This is consistent with data from
previous years and suggests that when
ransomware gangs go offline, they re-emerge
months later or redistribute their technical
capabilities and resources to new groups.
Our Microsoft threat intelligence teams track
ransomware threat actors as individual groups
(labelled as DEVs) based on their specific tools,
rather than tracking them by the malware they
use. This meant that when Conti’s affiliates
dispersed, we were able to continue tracking
these DEVs through their use of other tools or
RaaS kits. For example:
• DEV-0230, which is affiliated with Trickbot,
had been a prolific user of Conti. In late April,
MSTIC observed it using QuantumLocker.
• DEV-0237 shifted from Conti’s ransomware
kit to HIVE and Nokoyawa, including using
HIVE in the May 31 attack against Costa
Rican government agencies.
• DEV-0506, another prolific user of the
Conti ransomware kit, was observed
using BlackBasta.
Example of an affiliate (DEV-0237) quickly shifting between RaaS programs
After a RaaS program such as Conti is shut down, the ransomware affiliate shifts to another one (Hive)
almost immediately.
Jan
Ryuk 2020-Jun 2021
Hive Oct 2021-present
BlackCat Mar 2022-present
Nokoyawa May 2022-present
Agenda etc. June 2022 (experimenting)
2021 2022
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
Conti Jul-Oct 2021
RaaS evolves the ransomware ecosystem
and hinders attribution
Because human-operated ransomware is driven
by individual operators, attack patterns vary
based on the target and alternate throughout the
duration of an attack. In the past, we observed
a close relationship between the initial entry
vector, tools and ransomware payload choices
in each campaign of a single ransomware strain.
This made attribution easier. The RaaS affiliate
model, however, decouples this relationship.
As a result, Microsoft tracks ransomware
affiliates deploying payloads in specific attacks,
rather than tracking the ransomware payload
developers as operators.
Put another way, we no longer assume the
HIVE developer is the operator behind a HIVE
ransomware attack; it is more likely to be
an affiliate.
The cybersecurity industry has struggled to
adequately capture this delineation between
developers and operators. The industry still often
reports a ransomware incident by its payload
name, giving the false impression that a single
entity, or ransomware gang, is behind all attacks
using that particular ransomware payload, and
all incidents associated with it share common
techniques and infrastructure. To support
network defenders, it is important to learn more
about the stages that precede different affiliates’
attacks – such as data exfiltration and additional
persistence mechanisms – and the detection and
protection opportunities that might exist.
More so than malware, attackers
need credentials to succeed in their
operations. The successful human
operated ransomware infection of
an entire organisation relies on access
to a highly privileged account.
12 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
14. Spotlight on human-operated
ransomware attacks
Over the past year, Microsoft’s
ransomware experts conducted deep
investigations into more than 100 human-
operated ransomware incidents to track
attackers’ techniques and understand
how to better protect our customers.
It is important to note that the analysis we
share here is possible only for onboarded,
managed, devices. Non-onboarded, unmanaged
devices represent the least secure part of an
organisation’s hardware assets.
A durable security strategy
Combating and preventing attacks of this nature
requires a shift in an organisation’s mindset to
focus on the comprehensive protection required
to slow and stop attackers before they can
move from the pre-ransomware phase to the
ransomware deployment phase.
Enterprises must apply security best practices
consistently and aggressively to their networks,
with the goal of mitigating classes of attacks.
Due to the human decision making these
ransomware attacks can generate multiple,
seemingly disparate security product alerts which
can easily get lost or not responded to in time.
Alert fatigue is real, and security operations
centres (SOCs) can make their lives easier by
looking at trends in their alerts or grouping alerts
into incidents so they can see the bigger picture.
SOCs can then mitigate alerts using hardening
capabilities like attack surface reduction rules.
Hardening against common threats cannot
only reduce alert volume, but also stop many
attackers before they get access to networks.
Organisations must maintain
continuous high standards of
security posture and network
hygiene to protect themselves
from human-operated
ransomware attacks.
The typical human-operated attack
Human-operated ransomware attacks can be
categorised into the pre-ransomware phase
and the ransomware deployment phase.
During the pre-ransomware phase, attackers
prepare to infiltrate the network by learning
about the organisation’s typology and
security infrastructure.
Deployment!
Stop the attackers before
they reach the ransomware
deployment phase
Attackers prepare to infiltrate
the network by learning as much
as possible about the topology
and security infrastructure.
Attackers may also exfiltrate
data in this phase.
Attackers aim
to encrypt as
much data as
possible.
This phase
can last only
minutes.
This phase can range from a few
days to several weeks or months,
although it has been shortening
over the past two years.
Ransomware
Pre-ransomware
Our investigations found most actors behind
human-operated ransomware attacks take
advantage of similar security weaknesses and
share common attack patterns and techniques.
Most prevalent ransomware
phase techniques:
75%
Use admin tools.
75%
Use acquired elevated compromised
user account to spread malicious
payloads through SMB protocol.
99%
Attempt to tamper with discovered
security and backup products using
OS-built tools.
Actionable insights
Ransomware attackers are motivated by
easy profits, so adding to their cost via
security hardening is key in disrupting the
cybercriminal economy.
1 Build credential hygiene. More so than
malware, attackers need credentials to
succeed in their operations. The successful
human-operated ransomware infection of
an entire organisation relies on access to
a highly privileged account like a Domain
Administrator, or abilities to edit
a Group Policy.
2 Audit credential exposure.
3 Prioritise deployment of Active
Directory updates.
4 Prioritise cloud hardening.
5 Reduce the attack surface.
6 Harden internet-facing assets and
understand your perimeter.
7 Reduce SOC alert fatigue by hardening
your network to reduce volume and
preserve bandwidth for high priority
incidents.
Links to further information
RaaS: Understanding the cybercrime gig
economy and how to protect yourself |
Microsoft Security Blog
Human-operated ransomware attacks:
A preventable disaster | Microsoft
Security Blog
13 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
15. Ransomware insights
from front-line
responders
Organisations worldwide experienced
a steady growth in human-operated
ransomware attacks beginning in 2019.
However, law enforcement operations
and geopolitical events in the last
year had a significant impact on
cybercriminal organisations.
Microsoft’s Security Service Line supports
customers through an entire cyberattack, from
investigation to successful containment and
recovery activities. The response and recovery
services are offered via two highly integrated
teams, with one focusing on the investigation and
groundwork for recovery and the second one on
containment and recovery. This section presents
a summary of findings based on ransomware
engagements over the past year.
Ransomware incident and recovery
engagements by industry
Manufacturing 28%
IT 4%
Finance 8%
Government 8%
Health 20%
Energy 8%
Education 8%
Consumer retail 16%
As new small groups and threats emerge,
defending teams must be aware of evolving
ransomware threats while protecting against
previously unknown ransomware malware
families. The rapid development approach
used by criminal groups led to the creation of
intelligent ransomware packaged in easy-to-use
kits. This allows greater flexibility in launching
widespread attacks on a higher number
of targets.
The following pages provide a deeper look at the
most commonly observed contributing factors to
weak protection against ransomware, grouped
into three categories of findings:
1. Weak identity controls
2. Ineffective security operations
3. Limited data protection
93%
of Microsoft investigations
during ransomware recovery
engagements revealed
insufficient privilege access
and lateral movement controls.
Summary of most common findings in ransomware response engagements
Low
maturity
security
operations
Insufficient
application
security
practices
Limited
adoption
of
modern
security
frameworks
Insufficient
privilege
access
and
lateral
movement
controls
Insecure
configuration
of
identity
provider
No
multifactor
authentication
Lack
of
information
protection
control
62%
74%
87%
93%
86%
74%
65%
The most common finding among ransomware incident response engagements was insufficient privilege access
and lateral movement controls.
14 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
16. Ransomware insights
from front-line
responders
Continued
Active Directory (AD) and Azure AD security
88%
of impacted customers did not employ AD
and Azure AD security best practices. This has
become a common attack vector as attackers
exploit misconfigurations and weaker security
postures in critical identity systems to gain
broader access and impact to businesses.
Least privilege access and use of Privileged
Access Workstations (PAW)
None of the impacted organisations
implemented proper administrative credential
segregation and least privilege access principles
via dedicated workstations during the
management of their critical identity and high-
value assets, such as proprietary systems and
business-critical applications.
Privilege account security
88%
of engagements, MFA was not implemented for
sensitive and high privileged accounts, leaving
a security gap for attackers to compromise
credentials and pivot further attacks using
legitimate credentials.
84%
Administrators across 84% of organisations did
not use privilege identity controls such as just-
in-time access to prevent further nefarious use
of compromised privileged credentials.
1 Weak identity controls
Human-operated ransomware continues to evolve and employ credential theft and lateral
movement methods traditionally associated with targeted attacks. Successful attacks are often
the result of long-running campaigns involving compromise of identity systems, like Active
Directory (AD), that allow human operators to steal credentials, access systems and remain
persistent in the network.
1 Weak identity controls:
Credential theft attacks remain
one of the top contributing factors
2 Ineffective security
operations processes do not just
present a window of opportunity
for attackers, but significantly
impact the time to recover
3 Eventually it boils down to
data – organisations struggle
to implement an effective data
protection strategy which aligns
with their business needs
The three main contributing
factors seen in our on-site
response engagements:
15 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
17. Patching:
68%
of impacted organisations did not have an
effective vulnerability and patch management
process, and a high dependence on manual
processes versus automated patching led to
critical openings. Manufacturing and critical
infrastructure continue to struggle with
maintenance and patching of legacy
operational technology (OT) systems.
Lack of security operations tooling:
Most organisations reported a lack of end-
to-end security visibility due to a lack or
misconfiguration of security tools, leading to a
decrease in detect and response effectiveness.
60%
of organisations reported no use of an EDR6
tool, a fundamental technology for detection
and response.
60%
did not invest in security information and
event management (SIEM) technology leading
to monitoring silos, limited ability to detect
end-to-end threats and inefficient security
operations. Automation remains a key gap in
SOC tooling and processes, forcing SOC staff
to spend countless hours making sense of
security telemetry.
84%
of impacted organisations did not enable
integration of their multi-cloud environments
into their security operations tooling.
Response and recovery processes:
76%
Lack of an effective response plan was a
critical area observed in 76% of impacted
organisations, preventing proper organisational
crisis readiness and negatively impacting time
to respond and recover.
Ransomware insights
from front-line
responders
Continued
2 Ineffective security operations
Our data shows organisations which suffered ransomware attacks have significant gaps in their
security operations, tooling and information technology asset lifecycle management. Based on
the available data, the following gaps were most observed:
3 Limited data protection
Many compromised organisations lacked
proper data protection processes leading
to a severe impact on recovery times
and the capability to return to business
operations. The most common gaps
encountered include:
Immutable backup:
44%
of organisations did not have immutable
backups for the impacted systems. Data also
shows administrators did not have backups
and recovery plans for critical assets such
as AD.
Data loss prevention:
Attackers usually find their way to compromise
systems via exploiting vulnerabilities in
the organisation, exfiltrating critical data
for extortion, intellectual property theft
or monetisation.
92%
of impacted organisations did not implement
effective data loss prevention controls
to mitigate these risks, leading to critical
data loss.
16 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
18. Ransomware declined in some
regions and increased in others
This year we observed a drop in the
overall number of ransomware cases
reported to our response teams in North
America and Europe compared to the
previous year. At the same time, cases
reported in Latin America increased.
One interpretation of this observation is
cybercriminals pivoted away from areas
perceived to have a higher risk of triggering
law enforcement scrutiny in favour of softer
targets. Since Microsoft did not observe a
substantial improvement in enterprise network
security worldwide to explain the decrease in
ransomware-related support calls, we believe
the most likely cause is a combination of law
enforcement activity in 2021 and 2022 which
increased the cost of criminal activity, along with
some geopolitical events of 2022.
One of the most prevalent RaaS operations
belongs to a Russian-speaking criminal group
known as REvil (also known as Sodinokibi) that
has been active since 2019. In October 2021,
REvil’s servers were taken offline as part of
the international law enforcement Operation
GoldDust.7
In January 2022, Russia arrested
14 alleged REvil members and raided 25 locations
associated with them.8
This was the first time
Russia acted against ransomware operators on
its soil.
Actionable insights
1 Focus on holistic security strategies, as all
of the ransomware families take advantage
of the same security weaknesses to impact
a network.
2 Update and maintain security basics to
increase defence-in-depth base level
of protection and modernise security
operations. Moving to the cloud allows
you to detect threats more quickly and
respond faster.
Links to further information
Protect your organisation from
ransomware | Microsoft Security
Seven ways to harden your environment
against compromise | Microsoft
Security Blog
Improving AI-based defences to disrupt
human-operated ransomware | Microsoft
365 Defender Research Team
Security Insider: Explore the latest
cybersecurity insights and updates |
Microsoft Security
While law enforcement activities likely slowed
the frequency of attacks in 2022, threat actors
might well develop new strategies to avoid being
caught in the future. Moreover, tension between
Russia and the United States over Russia’s
invasion of Ukraine appears to have put an end
to Russia’s nascent cooperation in the global
fight against ransomware. After a brief period of
uncertainty following the REvil arrests, the United
States and Russia ceased cooperation in pursuing
ransomware actors, which means cybercriminals
might view Russia as a safe haven once more.
Looking ahead, we predict the pace of
ransomware activities will depend on the
outcome of some key questions:
1. Will governments take action to prevent
ransomware criminals from operating within
their borders, or seek to disrupt actors
operating from foreign soil?
2. Will ransomware groups change tactics to
remove the need for ransomware and resort
to extortion style attacks?
3. Will organisations be able to modernise and
transform their IT operations faster than
criminals can exploit vulnerabilities?
4. Will advancements in tracking and tracing
ransom payments force ransom recipients
to change tactics and negotiations?
2×
Ransomware attacks decreased
in some regions, but ransom
demands more than doubled.
While law enforcement
activities likely slowed
the frequency of attacks
in 2022, threat actors
might well develop new
strategies to avoid being
caught in the future.
17 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
19. the RDP, SSH and cPanels with appropriate
tools and scripts to facilitate various types
of cyberattacks.
Homoglyph domain creation services
are increasingly requiring payment
in cryptocurrencies.
Homoglyph domains impersonate legitimate
domain names by utilising characters that are
identical or nearly identical in appearance to
another character. The aim is to deceive the
viewer into thinking the homoglyph domain
is the genuine domain. These domains are a
ubiquitous threat and a gateway for a significant
amount of cybercrime. CaaS sites now sell
custom homoglyph domain names, which allows
buyers to request specific company and domain
names to impersonate. After payment is received,
the CaaS merchants use a homoglyph generator
tool to select the domain name and then register
the malicious homoglyph. Payment for this
service is almost exclusively in cryptocurrency.
process invoicing, such as CFOs or ‘Accounts
Receivable’. Similarly, industries participating in
public contracting are often targeted due to the
quantity of information that is made available
through the public bidding process.
DCU investigations into CaaS surfaced
a number of key trends:
The number and sophistication of services
is increasing.
One example is the evolution of web shells
which typically consist of compromised web
servers used to automate phishing attacks.
DCU observed CaaS resellers simplifying the
upload of phishing kits or malware through
specialised web-dashboards. CaaS sellers often
subsequently attempt to sell additional services
to the threat actor through the dashboard
such as spam message services and specialised
spam recipient lists based on defined attributes
including geographic location or profession.
In some instances, we observed a single web
shell being used in multiple attack campaigns,
which suggests threat actors might maintain
persistent access to the compromised server.
We also observed an increase in anonymisation
services available as part of the CaaS ecosystem
as well as offers for virtual private networks
(VPN) and virtual private server (VPS) accounts.
In most instances, the VPN/VPS offered were
initially procured through stolen credit cards.
CaaS websites also offered a larger number of
remote desktop protocol (RDP), secure shell (SSH)
and cPanels for use as a platform to orchestrate
cybercrime attacks. CaaS merchants configure
Cybercriminals are now collaborating across time
zones and languages to deliver specific results.
For example, one CaaS website administered
by an individual in Asia maintains operations
in Europe, and creates malicious accounts in
Africa. The multi-jurisdictional nature of these
operations present complex law and enforcement
challenges. In response, DCU focuses its efforts
on disabling malicious criminal infrastructure
used to facilitate CaaS attacks and collaborating
with law enforcement agencies around the world
to hold criminals accountable.
Cybercriminals are increasingly using analytics to
maximise reach, scope and gain. Like legitimate
businesses, CaaS websites must ensure the
validity of products and services to maintain a
solid reputation. For example, CaaS websites
routinely automate access to compromised
accounts to ensure the validity of compromised
credentials. Cybercriminals will discontinue sales
of specific accounts when passwords are reset or
vulnerabilities patched. Increasingly, we identified
CaaS websites providing buyers with on-demand
verification as a quality control process. As a
result, buyers can feel confident the CaaS website
sells active accounts and passwords while
reducing potential costs to the CaaS merchant
if the stolen credentials are remediated prior
to sale.
DCU also observed CaaS websites offering
buyers the option to purchase compromised
accounts from specific geographic locations,
designated online service providers and
specifically targeted individuals, professions
and industries. Frequently ordered accounts
focus on professionals or departments that
Cybercrime-
as-a-Service
Cybercrime-as-a-Service (CaaS) is a
growing and evolving threat to customers
worldwide. The Microsoft Digital Crimes
Unit (DCU) observed continued growth
of the CaaS ecosystem with an increasing
number of online services facilitating
various cybercrimes, including BEC
and human-operated ransomware.
Phishing continues to be a preferred
attack method as cybercriminals can
acquire significant value from
successfully stealing and selling
access to stolen accounts.
In response to the expanding CaaS market,
DCU enhanced its listening systems to detect
and identify CaaS offerings across the entire
ecosystem of internet, deep web, vetted forums,9
dedicated websites, online discussion forums
and messaging platforms.
2,750,000
site registrations successfully
blocked by DCU this year to get
ahead of criminal actors that
planned to use them to engage
in global cybercrime.
18 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
20. Attackers aim
to encrypt as
much data as
possible
1 2 3
Select a
phishing site
template/design
from among the
hundreds offered.
Once these steps are completed, the PhaaS merchant creates services with three or four layers of redirect and
hosting resources to target specific users. The campaign is subsequently launched, and victim credentials are
harvested, verified and sent to the email address provided by the purchaser. For a premium, many PhaaS
merchants offer to host phishing sites on the public blockchain so they can be accessed by any browser and
redirects can point users to a resource on the distributed ledger.
Provide an email
address to receive
credentials
obtained from
phishing victims.
Pay the PhaaS
merchant in
cryptocurrency.
DCU’s work to develop tools and techniques
which identify and disrupt CaaS cybercriminals is
ongoing. The evolution of CaaS services presents
significant challenges, particularly in disrupting
cryptocurrency payments.
24/7 support. The DDoS subscription service
offers different architectures and attack methods,
so a purchaser simply selects a resource to attack
and the seller provides access to an array of
compromised devices on their botnet to conduct
the attack. The cost for the DDoS subscription
is a mere USD 500.
it is a virtual machine, gathering details about
the browser and hardware being used, and more.
If all checks pass, traffic is sent to a landing page
used for phishing.
End-to-end cybercrime services are selling
subscriptions to managed services.
Typically, each step in the commission of
an online crime can expose threat actors
if operational security is poor. The risk of
exposure and identification increases if services
are purchased from multiple CaaS sites.
DCU observed a concerning trend in the dark
web whereby there is an increase in services
offering to anonymise software code and
genericise website text to reduce exposure. End-
to-end cybercrime subscription service providers
manage all services and guarantee results which
further reduce exposure risks to the subscribing
OCN. The reduced risk has increased the
popularity of these end-to-end services.
Phishing-as-a-Service (PhaaS) is one example
of an end-to-end cybercrime service. PhaaS is
an evolution of prior services known as fully
undetectable services (FUD) and is offered on
a subscription basis. Typical PhaaS terms include
keeping phishing websites active for a month.
DCU also identified a CaaS merchant offering
distributed denial of service (DDoS) on a
subscription model. This model outsources
the creation and maintenance of the botnet
necessary to carry out attacks to the CaaS
merchant. Each DDoS subscription customer
receives an encrypted service to enhance
operational security and one year of
CaaS sellers increasingly offer compromised
credentials for purchase.
Compromised credentials enable unauthorised
access to user accounts including email
messaging service, corporate file sharing
resources and OneDrive for Business.
If administrator credentials are compromised,
unauthorised users could gain access to
confidential files, Azure resources and
company user accounts. In many instances,
DCU investigations identified unauthorised use
of the same credential across multiple servers
as a means to automate verifying credentials.
This pattern suggests the compromised user
might be a victim of multiple phishing attacks
or have device malware allowing botnet
keyloggers to collect credentials.
CaaS services and products with enhanced
features are emerging to avoid detection.
One CaaS seller offers phishing kits with
increased layers of complexity and anonymisation
features designed to circumvent detection and
prevention systems for as little as USD 6 per
day. The service offers a series of redirects that
perform checks before allowing traffic to the next
layer or site. One of these runs over 90 checks for
fingerprinting the device, including whether
Cybercrime-
as-a-Service
Continued
PhaaS, cybercriminals offer multiple services within
a single subscription. In general, a purchaser needs
to take only three actions:
19 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
21. and force cybercriminals to use other obfuscation
methods like coin tumbling or unlicensed
exchanges. As an example, Uniswap recently
announced it will start to use blacklists to block
wallets known to be involved in illicit activities
from transacting on the exchange.15
cash-out options, such as centralised exchanges
(CEX), peer-to-peer (P2P) and over the counter
(OTC) exchanges. DEXes are an attractive
laundering location because they often do not
follow AML measures.
In December 2021, hackers attacked the global
cryptocurrency trading platform AscendEx
and stole approximately USD 77.7 million in
cryptocurrency belonging to its customers.12
AscendEx hired blockchain analytics firms and
contacted other CEXs so the wallets receiving
stolen funds could be blacklisted. Additionally,
addresses where the coins were sent were
labelled as such on the Ethereum blockchain
explorer Etherscan.13
In order to circumvent the
alerting and blacklisting, the hackers sent USD
1.5 million in Ethereum to Uniswap, one of the
world’s largest DEXs, on February 18, 2022.14
The adoption of stronger AML measures by DEXs
could blunt laundering activity on their platforms
Tracking ransomware payments
Ransomware is one of the largest sources of
illicitly gained cryptocurrency. In an effort to
disrupt malicious technical infrastructure used in
ransomware attacks – for example, the disruption
of Zloader in April 202211
– Microsoft’s DCU
tracks criminal wallets to enable cryptocurrency
tracking and recovery capabilities.
DCU investigators have observed ransomware
actors evolving their communication tactics with
victims to conceal the money trail. Originally,
cybercriminals included Bitcoin addresses in their
ransom notes. However, this made it easy to
follow payment transactions on the blockchain,
so ransomware actors stopped including wallet
addresses and instead appended email addresses
or links to chat websites to communicate ransom
payment addresses to victims. Some actors
even created unique webpages and logins for
each victim to prevent security researchers and
law enforcement from obtaining the criminals’
wallet addresses by pretending to be victims.
Despite criminals’ efforts to hide their tracks,
some ransom payments can still be recovered
by working with law enforcement and crypto
analysis companies that can track movement
on the blockchain.
Trending: DEX laundering of illicit proceeds
A key issue for cybercriminals is the
conversion of cryptocurrency to fiat currency.
Cybercriminals have several potential avenues
for conversion, each of which carries a different
degree of risk. One method used to reduce risk
is to launder proceeds through a decentralised
exchange (DEX) before cashing out via available
Criminal use of
cryptocurrencies
As the adoption of cryptocurrency
becomes mainstream, criminals are
increasingly using it to evade law
enforcement and anti-money laundering
(AML) measures. This heightens the
challenge for law enforcement to track
and trace cryptocurrency payments
to cybercriminals.
Worldwide spending on blockchain solutions
grew by approximately 340% over the last four
years, while new cryptocurrency wallets grew
by around 270%. There are more than 83 million
unique wallets globally, and the total market
capitalisation of all cryptocurrencies was
approximately USD 1.1 trillion as of July 28, 2022.10
Source: Twitter.com – @PeckShieldAlert (PeckShield
is a China-based blockchain security company).
Using the cryptocurrency investigative tool Chainalysis, Microsoft’s Digital Crimes Unit discovered the AcendEX
hackers swapped their stolen funds at a smaller DEX called Curve in addition to Uniswap. This diagram illustrates
the laundering routes the team uncovered. Each circle represents a cluster of wallets and the numbers on each line
represent the total amount of Ethereum transmitted for laundering purposes.
Actionable insights
1 If you are a victim of cybercrime who has
paid the criminal using cryptocurrency,
contact local law enforcement who
might be able to help track and recover
lost funds.
2 Become familiar with the ALM measures
in place when selecting a DEX.
Links to further information
Hardware-based threat defence against
increasingly complex cryptojackers |
Microsoft 365 Defender Research Team
Uniswap V3
Curve
AscendEX.com
AscendEX.com
stolen funds
11-12-2021
72.19
ETH
ETH
46.77
Tracking illicitly gained cryptocurrency
20 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
22. Microsoft detects millions of BEC emails every
month, equivalent to 0.6% of all phishing emails
observed. A report from IC318
published in
May 2022 indicates an upward trend in exposed
losses due to BEC attacks.
The techniques used in phishing attacks
continue to increase in complexity. In response
to countermeasures, attackers adapt new ways
to implement their techniques and increase
the complexity of how and where they host
campaign operation infrastructure. This means
organisations must regularly reassess their
strategy for implementing security solutions to
block malicious emails and strengthen access
control for individual user accounts.
The evolving phishing
threat landscape
Credential phishing schemes are on
the rise and remain a substantial threat
to users everywhere because they
indiscriminately target all inboxes.
Among the threats our researchers
track and protect against, the volume of
phishing attacks is orders of magnitude
greater than all other threats.
Using data from Defender for Office, we see
malicious email and compromised identity
activity. Azure Active Directory Identity
Protection provides still more information
through compromised identity event alerts.
Using Defender for Cloud Apps, we see
compromised identity data access events,
and Microsoft 365 Defender (M365D) provides
cross-product correlation. The lateral movement
metric comes from Defender for Endpoint (attack
behaviour alerts and events), Defender for Office
(malicious email) and again M365D for cross-
product correlation).
531,000
In addition to the URLs blocked
by Defender for Office, our Digital
Crimes Unit directed the takedown
of 531,000 unique phishing URLs
hosted outside of Microsoft.
1 hr 12 m
The median time it takes for an
attacker to access your private
data if you fall victim to a
phishing email.16
1 hr 42 m
The median time for an attacker
to begin moving laterally within
your corporate network once a
device is compromised.17
Detected phish emails
Millions
900
800
700
600
500
400
300
200
100
0
Jul
2021
Aug
2021
Sep
2021
Oct
2021
Nov
2021
Dec
2021
Jan
2022
Feb
2022
Mar
2022
Apr
2022
May
2022
Jun
2022
The number of phish detections per week continue to rise. The decrease in December-January is an expected
seasonal drop, also reported in last year’s report. Source: Exchange Online Protection signals.
710 million
phishing emails blocked per week.
Microsoft 365 credentials remain one of the most
highly sought-after account types for attackers.
Once login credentials are compromised,
attackers can log in to corporate-tied computer
systems to facilitate infection with malware and
ransomware, steal confidential company data
and information by accessing SharePoint files,
and continue the spread of phish by sending
additional malicious emails using Outlook,
among other actions.
In addition to campaigns with broader targets,
phishing for credentials, donations and personal
information, attackers are targeting selective
businesses for larger payouts. Email phishing
attacks against businesses for financial gain
are collectively referred to as BEC attacks.
21 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
23. More than ever, phishers are relying on legitimate
infrastructure to operate, driving a rise in
phishing campaigns aimed at compromising
various aspects of an operation so they do
not have to purchase, host or operate their
own. For example, malicious emails might
originate from compromised sender accounts.
Attackers benefit from using these email
addresses which have a higher reputation score
and are seen as more trustworthy than newly
created accounts and domains. In some more
advanced phishing campaigns, we observed
attackers preferring to send and spoof from
domains which have DMARC19
incorrectly set up
with a ‘no action’ policy, opening the door for
email spoofing.
We continue to observe a steady year-over-year
increase in phishing emails. The shift to remote
work in 2020 and 2021 saw a substantial increase
in phishing attacks aiming to capitalise on the
changing work environment. Phish operators
are quick to adopt new email templates using
lures aligned with major world events such as
the COVID-19 pandemic and themes linked
to collaboration and productivity tools such
as Google Drive or OneDrive file sharing.
While COVID-19 themes have diminished, the
war in Ukraine became a new lure starting in
early March 2022. Our researchers observed a
staggering increase of emails impersonating
legitimate organisations soliciting cryptocurrency
donations in Bitcoin and Ethereum, allegedly to
support Ukrainian citizens.
Only a few days after the start of the war in
Ukraine in late February 2022, the number
of detected phishing emails containing
Ethereum addresses encountered across
enterprise customers increased dramatically.
Total encounters peaked in the first week of
March when half a million phishing emails
contained an Ethereum wallet address. Prior to
the start of the war, the number of Ethereum
wallet addresses across other emails detected
as phish was significantly less, averaging a few
thousand emails per day.
Large phish operations tend to use cloud
services and cloud virtual machines (VMs) to
operationalise large scale attacks. Attackers can
fully automate the process of deploying and
delivering emails from VMs using SMTP
email relays or cloud email infrastructure to
benefit from the high deliverability rates and
positive reputation of these legitimate services.
If malicious email is allowed to be sent through
these cloud services, defenders must rely on
strong email filtering capabilities to block emails
from entering their environment.
Microsoft accounts remain a top target for
phishing operators, as evidenced by the
numerous phishing landing pages which
impersonate the Microsoft 365 login page.
For example, phishers attempt to match the
Microsoft login experience in their phish kits
by generating a unique URL customised to
the recipient. This URL points to a malicious
webpage developed to harvest credentials, but
a parameter in the URL will contain the specific
recipient’s email address. Once the target
navigates to the page, the phish kit will pre-
populate user login data and a corporate logo
customised to the email recipient, mirroring the
appearance of the targeted company’s custom
Microsoft 365 login page.
Phishing page impersonating a Microsoft
login with dynamic content
Phishing emails with Ethereum wallet addresses
Thousands
0
100
200
300
400
500
600
Jul
2021
Aug
2021
Sep
2021
Oct
2021
Nov
2021
Dec
2021
Jan
2022
Feb
2022
Mar
2022
Apr
2022
May
2022
Jun
2022
Total emails detected as phish containing Ethereum wallet addresses increased at the start of the Ukraine-Russia
conflict and tapered off after the initial push.
The evolving phishing
threat landscape
Continued
22 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
24. Defending against phish
To reduce your organisation’s exposure to phish, IT administrators
are encouraged to implement the following policies and features:
1 Require the use of MFA across all accounts
to limit unauthorised access.
2 Enable conditional access features for
highly privileged accounts to block
access from countries, regions and IPs
that do not typically generate traffic at
your organisation.
3 Consider using physical security keys
for executives, employees involved in
payment or purchase activities and other
privileged accounts.
4 Enforce the use of browsers which support
services such as Microsoft SmartScreen
to analyse URLs for suspicious behaviours
and blocks access to known malicious
websites.23
5 Use a machine-learning based security
solution that quarantines high probability
phish and detonates URLs and
attachments in a sandbox before email
reaches the inbox, such as Microsoft
Defender for Office 365.24
6 Enable impersonation and
spoofing protection features across
your organisation.
7 Configure DomainKeys Identified Mail
(DKIM) and Domain-based Message
Authentication Reporting Conformance
(DMARC) action policies to prevent
delivery of non-authenticated emails that
might be spoofing reputable senders.
8 Audit tenant and user created allow
rules and remove broad domain and
IP based exceptions. These rules often
take precedence and can allow known
malicious emails through email filtering.
9 Regularly run phishing simulators to
gauge the potential risk across your
organisation and to identify and educate
vulnerable users.
Links to further information
From cookie theft to BEC: Attackers use
AiTM phishing sites as entry point to
further financial fraud | Microsoft 365
Defender Research Team, Microsoft
Threat Intelligence Centre (MSTIC)
BEC trends
As a point of entry, BEC attackers normally
attempt to start a conversation with potential
victims to establish rapport. Posing as a colleague
or business acquaintance, the attacker gradually
leads the conversation in the direction of a
monetary transfer. The introduction email, which
we track as a BEC lure, represents close to 80%
of detected BEC emails. Other trends identified
by Microsoft security researchers over the past
year include:
• The most frequently used techniques in BEC
attacks observed in 2022 were spoofing21
and
impersonation.22
• The BEC subtype causing the most financial
damage to victims was invoice fraud (based on
volume and requested dollar amounts seen in
our BEC campaign investigations).
• Business information theft such as accounts
payable reports and customer contacts enable
attackers to craft convincing invoice fraud.
• Most payroll redirection requests were sent
from free email services and seldom from
compromised accounts. Email volume from
these sources spiked around the first and
fifteenth of each month, the most common
pay dates.
• Despite being well-known avenues for fraud,
gift card scams comprised only 1.9% of the
BEC attacks detected.
Spotlight on business email
compromise
Cybercriminals are developing
increasingly complex schemes and
techniques to defeat security settings
and target individuals, businesses
and organisations. We are investing
significant resources to further enhance
our BEC enforcement programme
in response.
BEC is the costliest financial cybercrime, with an
estimated USD 2.4 billion in adjusted losses
in 2021, representing more than 59% of the
top five internet crime losses globally.20
To
understand the scope of the problem and
how best to protect users against BEC,
Microsoft security researchers have been tracking
the most common themes used in attacks.
BEC themes (January-June 2022)
Invoice fraud 9.3%
BEC lure 79.9%
Payroll redirection 4.6%
Business information 4.3%
Gift card scam 1.9%
BEC themes by percentage of occurrence
Actionable insights
23 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
25. Homoglyph deception
BEC and phishing are common social
engineering tactics. Social engineering
plays a significant role in crime,
persuading a target to interact with
the criminal by gaining trust.
In physical commerce, trademarks are used
to secure trust in the origin of a product or
service, and counterfeit products are an abuse
of the trademark. Similarly, cybercriminals pose
as a contact familiar to the target during a
phishing attack, using homoglyphs to deceive
potential victims.
A homoglyph is a domain name used for email
communication in BEC, in which a character
is replaced by one that is identical or nearly
identical in appearance, in order to deceive
the target.
Homoglyph techniques used in BEC attempts
BEC generally has two phases, the first of which
involves compromise of credentials. These types
of credential leaks can be a result of phishing
attacks or large data breaches. The credentials
are then sold or traded on the dark web.
The second phase is the fraud phase, where
attackers use compromised credentials to
engage in sophisticated social engineering
using homoglyph email domains.
Actionable insights
1 Enforce the use of browsers that support
services to analyse URLs for suspicious
behaviours and blocks access to known
malicious websites such as Safe Links and
SmartScreen.25
2 Use a machine-learning based security
solution that quarantines high probability
phish and detonates URLs and
attachments in a sandbox before
email reaches the inbox.
Links to further information
Internet Crime Complaint Centre (IC3)
| Business Email Compromise: The USD
43 Billion Scam
Spoof intelligence insight – Office 365 |
Microsoft Docs
Impersonation insight – Office 365 |
Microsoft Docs
Technique % of domains showing
homoglyph technique
sub l for I 25%
sub i for l 12%
sub q for g 7%
sub rn for m 6%
sub .cam for .com 6%
sub 0 for o 5%
sub ll for l 3%
sub ii for i 2%
sub vv for w 2%
sub l for ll 2%
sub e for a 2%
sub nn for m 1%
sub ll for I, sub l for i 1%
sub o for u 1%
Analysis of over 1,700 homoglyph domains between
January-July 2022. While 170 homoglyph techniques
were used, 75% of domains used just 14 techniques.
A homoglyph in action
A homoglyph domain that looks identical to a
mail domain the victim recognises is registered
on a mail provider with a username that is
identical. A hijacked email is then sent from the
hijacked domain with new payment instructions.
Leveraging open-source intelligence and
access to email threads, the criminal identifies
individuals who have responsibility for
invoicing and payments. They then create
an impersonation of an email address of the
individual sending invoices. This impersonation
is composed of an identical username and
mail domain that is a homoglyph of the
genuine sender.
The attacker copies an email chain containing
a legitimate invoice, then changes the invoice
to contain their own bank details. This new,
modified invoice is then resent from the
homoglyph impersonation email to the target.
Because the context makes sense and the email
looks genuine, often the target follows the
fraudulent instructions.
Progression of a BEC attack
24 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
26. Waledac botnet
Description: A complex spam botnet
with US domains that collected email
addresses and distributed spam that
infected up to 90,000 computers
across the world.26
Collaboration: Creation of another
consortium, the Microsoft Malware
Protection Centre (MMPC) with a
focus on close collaboration with
academics.27
Microsoft response: Microsoft
used tiered disruption approach
of C2 and surprised bad actors by
seizing US-based domains without
notice.28
Microsoft granted temporary
ownership of nearly 280 domains
used by Waledac’s servers.
Trickbot botnet
Description: A sophisticated
botnet with fragmented
infrastructure across the globe
that targeted the financial services
industry; compromised IoT devices.
Collaboration: Microsoft
partnered with the Financial
Services Information Sharing and
Analysis Centre (FS-ISAC) to bring
down Trickbot.30
Microsoft response: DCU built
a system to identify and track
bot infrastructure and generated
notifications for active internet
providers, taking into account
specific laws in various countries.
2008 2009 2011 2013 2019 2022
Description: A fast-spreading worm
targeting the Windows OS, infecting
millions of computers and devices in
a common network; created network
outages worldwide.
Collaboration: Formation of
the Conficker Working Group,
the first consortium of its kind.
Microsoft partnered with
16 organisations across the
globe to defeat the bot.
Microsoft response: The
group collaborated across many
international jurisdictions and was
successful bringing Conficker down.
Conficker botnet
Collaboration: Designed to thwart
cybercrime impacting the Microsoft
ecosystem through close integration
across a team of investigators,
lawyers and engineers.
Microsoft approach: The goal is
to better understand the technical
aspects of various malware and
provide these insights to Microsoft’s
legal team to develop an effective
disruption strategy.
Microsoft Digital Crimes Unit
is formed
DCU continues to innovate
and is looking to use
its experience in botnet
disruptions to conduct
coordinated operations
that go beyond malware.
Our continued success requires
creative engineering, sharing
of information, innovative
legal theories and public
and private partnerships.
Looking ahead
Description: Microsoft disrupted
the infrastructure of seven
threat actors over the past year,
preventing them from distributing
additional malware, controlling
victims’ computers and targeting
additional victims.
Collaboration: In partnership
with internet service providers,
governments, law enforcement
and private industry, Microsoft
shared information to remediate
over 17 million malware
victims worldwide.
Continued focus on disruption
Description: An advertising
botnet designed to direct people
to dangerous websites that would
install malware or steal personal
information; infected more than two
million computers and cost advertisers
more than USD 2.7 million per month;
primarily in US and Western Europe.
Collaboration: Worked closely with
the FBI and Europol’s Cybercrime
Centre to bring down the peer-to-
peer infrastructure.
Microsoft response: Joined the Zero
Access network, replaced the criminal
C2 servers and successfully seized
download server domains.
Sirefef/Zero Access botnet
Rustock botnet
Description: A backdoor trojan
spam email bot using internet
providers as primary C2s; designed
to sell pharmaceuticals.
Collaboration: Microsoft
forged a partnership with Pfizer
Pharmaceuticals to understand the
drugs sold by Rustock and worked
closely with Dutch law enforcement
officials.29
Microsoft response: Microsoft
worked with US Marshals and law
enforcement in the Netherlands to
take down the C2 servers in that
country. Registered and blocked
all future domain generator
algorithms (DGAs).
A timeline of botnet disruption from
Microsoft’s early days of collaboration
For more than a decade, DCU has worked to
proactively stop cybercrime resulting in 26 malware
and nation state disruptions. As the DCU team
uses more advanced tactics and tools to shut down
these illicit operations, we see the cybercriminals
also evolve their approaches in an attempt to stay
a step head. Here is a timeline showing a sample
of the botnets disrupted by DCU and the strategies
Microsoft adopted to shut them down.
25 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
27. Devices acting as reverse proxies for malware
C2 are not just unique to Trickbot and MikroTik
routers. In collaboration with the Microsoft
RiskIQ team, we traced back to the C2 involved
and, through observing SSL certificates,
identified Ubiquiti and LigoWave devices
that are impacted as well.32
This is a strong
indication that IoT devices are becoming active
components of nation state coordinated attacks
and a popular target for cybercriminals using
widespread botnets.
redirects traffic between two ports in the router,
establishing the line of communication between
Trickbot-affected devices and the C2.
We have aggregated our knowledge of the
various methods of attacking MikroTik devices,
beyond just Trickbot, as well as known common
vulnerabilities and exposures (CVEs) into an
open-source tool for MikroTik devices, which can
extract the forensic artifacts related to attacks on
these devices.31
More specifically, we identified how Trickbot
operators utilise compromised MikroTik routers
and reconfigure them to act as part of their C2
infrastructure. The popularity of these devices
compounds the severity of their abuse by
Trickbot, and their unique hardware and software
enable threat actors to evade traditional security
measures, expand their infrastructure and
compromise more devices and networks.
Exposed routers are at risk of having potential
vulnerabilities exploited.
By tracking and analysing traffic containing
secure shell (SSH) commands, we observed
attackers using MikroTik routers to
communicate with Trickbot infrastructure after
obtaining legitimate credentials to devices.
These credentials can be obtained through brute
force attacks, exploiting known vulnerabilities
with readily available patches and using
default passwords. Once a device is accessed,
the attacker issues a unique command that
Cybercriminal abuse
of infrastructure
Internet gateways as criminal
command and control
infrastructure
IoT devices are becoming an increasingly
popular target for cybercriminals using
widespread botnets. When routers are
unpatched and left exposed directly to
the internet, threat actors can abuse
them to gain access to networks,
execute malicious attacks and even
support their operations.
The Microsoft Defender for IoT team conducts
research on equipment ranging from legacy
industrial control system controllers to cutting-
edge IoT sensors. The team investigates IoT- and
OT-specific malware to contribute to the shared
list of indicators of compromise.
Routers are particularly vulnerable attack vectors
because they are ubiquitous across internet-
connected homes and organisations. We have
been tracking the activity of MikroTik routers, a
popular router around the world residentially and
commercially, identifying how they are utilised for
command and control (C2), domain name system
(DNS) attacks and crypto mining hijacking.
Attacker Command
and control
Sets up
malicious domains
Installs Trickbot on
target network
via a campaign
Communicates with
C2 via router; drops
payloads, steals info
Compromised
IoT device
Target
network
Performs recon
to obtain network
information
Scans for MikroTik
devices that are exposed
to the internet
Steals device
credentials and
maintains persistence
Executes traffic
redirection
command
Trickbot attack chain showing the use of MikroTik IoT devices as proxy servers for C2.
Trickbot attack chain
93,868 1
Number of exposed
MikroTik routers
Distribution of exposed MikroTik routers
around the world
26 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience
28. Virtual machines as criminal
infrastructure
The widespread move to the cloud
includes cybercriminals who leverage
private assets of unwitting victims
obtained through phishing or
distributing malware credential stealers.
Many cybercriminals are choosing to
set up their malicious infrastructures
on cloud-based virtual machines (VMs),
containers and microservices.
Once the cybercriminal has access, a sequence of
events can occur to set up infrastructure – such
as a series of virtual machines through scripting
and automated processes. These scripted,
automated processes are used to launch
malicious activity including large scale email
spam attacks, phishing attacks and web pages
hosting nefarious content. It can even include
setting up a scaled virtual environment carrying
out cryptocurrency mining, causing the end
victim a bill of hundreds of thousands of dollars
at the end of the month.
Cybercriminals understand their malicious activity
has a limited life span before it is detected and
shut down. As a result, they have scaled up and
now operate proactively with contingencies top
of mind. They have been observed preparing
compromised accounts ahead of time and
monitoring their environments. As soon as an
account (set up using hundreds of thousands of
virtual machines) is detected, they traverse to
In the past year, Microsoft observed a growing
number of attacks that abuse routers for
redirecting cryptocurrency mining efforts.
Cybercriminals compromise routers connected
to mining pools and redirect mining traffic
to their associated IP addresses with DNS
poisoning attacks, which alters the DNS settings
of targeted devices. Affected routers register
the wrong IP address to a given domain name,
sending their mining resources – or hashes – to
pools used by threat actors. These pools might
mine anonymous coins associated with criminal
activities or use legitimate hashes generated by
miners to acquire a percentage of the coin that
they mined, thus reaping the rewards.
With more than half of known
vulnerabilities found in 2021 lacking a
patch, updating and securing routers
on corporate and private networks
remains a significant challenge for
device owners and administrators.
Crypto criminals
abusing IoT devices
Gateway devices are an increasingly
valuable target for threat actors as the
number of known vulnerabilities has
grown consistently from year to year.
They are being used for crypto mining
and other types of malicious activity.
As cryptocurrency has become more popular,
many individuals and organisations have invested
computational power and network resources
from devices such as routers to mine coins on
the blockchain. However, mining cryptocurrency
is a time- and resource-intensive process
with a low probability of success. To increase
the likelihood of mining a coin, miners pool
together in distributed, cooperative networks,
receiving hashes relative to the percentage of
the coin they succeeded in mining with their
connected resources.
the next account – already prepared by scripts to
be immediately activated – and their malicious
activity continues with little to no interruption.
Like cloud infrastructure, on-premises
infrastructure can be used in attacks with
virtual local environments that are unknown to
the on-premises user. This requires the initial
access point to remain open and accessible.
On-premises private assets have also been
abused by cybercriminals to initiate an onward
chain of cloud infrastructure, set up to obfuscate
their origin to avoid suspicious infrastructure
creation detection.
DNS poisoning of gateway devices compromises legitimate mining activities and redirects resources
to criminal mining activities.
Actionable insights
1 Implement good cyber hygiene and
provide cybersecurity training for
employees with guidance for avoiding
being socially engineered.
2 Conduct regular automated user activity
anomaly checks through detections at
scale to help reduce these types of attacks.
3 Update and secure routers on corporate
and private networks.
Portion of hashes from
original pool are stolen
by threat actors, or
resources are transferred
to their pool, or routers
have malware on them
that steal resources
for mining.
Miner Miners
Cryptocurrency
DNS Poisoning
Criminal’s pool
Pool
ASIC
Miners
Miners
Miners
Routers
Compromising devices for illegal crypto mining.
27 Microsoft Digital Defence Report 2022
Report
Introduction
Nation State
Threats
Cyber
Resilience
Contributing
Teams
The State of
Cybercrime
Cyber Influence
Operations
Devices and
Infrastructure
Contributing
Teams
Report
Introduction
The State of
Cybercrime
Nation State
Threats
Devices and
Infrastructure
Cyber Influence
Operations
Cyber
Resilience