Archive

Archive for the ‘COVID-19 themed attacks’ Category

Exploiting a crisis: How cybercriminals behaved during the outbreak

June 16th, 2020 No comments

In the past several months, seemingly conflicting data has been published about cybercriminals taking advantage of the COVID-19 outbreak to attack consumers and enterprises alike. Big numbers can show shifts in attacker behavior and grab headlines. Cybercriminals did indeed adapt their tactics to match what was going on in the world, and what we saw in the threat environment was parallel to the uptick in COVID-19 headlines and the desire for more information.

If one backtracked to early February, COVID-19 news and themed attacks were relatively scarce. It wasn’t until February 11, when the World Health Organization named the global health emergency as “COVID-19”, that attackers started to actively deploy opportunistic campaigns. The week following that declaration saw these attacks increase eleven-fold. While this was below two percent of overall attacks Microsoft saw each month, it was clear that cybercriminals wanted to exploit the situation: eople around the world were becoming aware of the outbreak and were actively seeking information and solutions to combat it.

Worldwide, we observed COVID-19 themed attacks peak in the first two weeks of March. That coincided with many nations beginning to take action to reduce the spread of the virus and travel restrictions coming into effect. By the end of March, every country in the world had seen at least one COVID-19 themed attack.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak

Figure 1. Trend of COVID-19 themed attacks

The rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide event. The point of contention was whether these attacks were new or repurposed threats. Looking through Microsoft’s broad threat intelligence on endpoints, email and data, identities, and apps, we concluded that this surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures.

In fact, the overall trend of malware detections worldwide (orange line in Figure 2) did not vary significantly during this time. The spike of COVID-19 themed attacks you see above (yellow line in Figure 1) is barely a blip in the total volume of threats we typically see in a month. Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior. As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak. These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.

Graph showing trend of all attacks versus COVID-19 themed attacks

Figure 2. Trend of overall global attacks vs. COVID-19 themed attacks

After peaking in early March, COVID-19 themed attacks settled into a “new normal”. While these themed attacks are still higher than they were in early February and are likely to continue as long as COVID-19 persists, this pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns.

Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims. Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents. Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn “sellers” to “cybercriminals” and “customers” to “victims”.

Graph showing trend of COVID-19 themed attacks

Figure 3. Trend of COVID-19 themed attacks

Lures, like news, are always local

Cybercriminals are looking for the easiest point of compromise or entry. One way they do this is by ripping lures from the headlines and tailoring these lures to geographies and locations of their intended victims. This is consistent with the plethora of phishing studies that show highly localized social engineering lures. In enterprise-focused phishing attacks this can look like expected documents arriving and asking the user to take action.

During the COVID-19 outbreak, cybercriminals closely mimicked the local developments of the crisis and the reactions to them. Here we can see the global trend of concern about the outbreak playing out with regional differences. Below we take a deeper look at three countries and how local events landed in relation to observed attacks.

FOCUS: United Kingdom

Attacks targeting the United Kingdom initially followed a trajectory similar to the global data, but spiked early, appearing to be influenced by the news and concerns in the nation. Data shows a first peak approximately at the first confirmed COVID-19 death in the UK, with growth beginning again with the FTSE 100 stock crash on March 9, and then ultimately peaking around the time the United States announced a travel ban to Europe.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the UK

Figure 4. Trend of COVID-19 themed attacks in the United Kingdom showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

In the latter half of March, the United Kingdom increased transparency and information to the public as outbreak protocols were implemented, including the closure of schools. The attacks dropped considerably all the way to April 5, when Queen Elizabeth II made a rare televised address to the nation. The very next day, Prime Minister Boris Johnson, who was hospitalized on April 6 due to COVID-19, was moved to intensive care. Data shows a corresponding increase in attacks until April 12, the day the Prime Minister was discharged from the hospital. The level of themed attacks then plateaued at about 3,500 daily attacks until roughly the end of April. The UK government proclaimed the country had passed the peak of infections and began to restore a new normalcy. Attacks took a notable drop to around 2,000 daily attacks.

Sample phishing email with COVID-19 themed lure

Sample phishing email using COVID-19 themed lure

Figure 5. Sample COVID-19 themed lures in attacks seen in the UK

FOCUS: Republic of Korea

The Republic of Korea was one of the earliest countries hit by COVID-19 and one of the most active in combating the virus. We observed attacks in Korea increase and, like the global trend, peak in early March. However, the spike in attacks for this country is steeper than the worldwide average, coinciding with the earlier arrival of the virus here.

Graph showing trend of COVID-19 themed attacks and key events during the outbreak in South Korea

Figure 6. Trend of COVID-19 themed attacks in the Republic of Korea showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Interestingly, themed attacks were minimal at the beginning of February despite the impact of the virus. Cybercriminals did not truly ramp up attacks until the middle of February, closely mapping key events like identifying patients from the Shincheonji religious organization, military base lock downs, and international travel restrictions. While these national news events did not create the attacks, it’s clear cybercriminals saw an opening to compromise more victims.

Increased testing and transparency about the outbreak mapped to a downward trajectory of attacks in the first half of March. Looking forward through the end of May, the trend of themed attacks targeting Korean victims significantly departed from the global trajectory. We observed increasing attacks as the country restored some civic life. Attacks ultimately reached a peak around May 23. Analysis is still ongoing to understand the dynamics that drove this atypical increase.

FOCUS: United States

COVID-19 themed attacks in the United States largely followed the global attack trend. The initial ascent began mid-February after the World Health Organization officially named the virus. Attacks reached first peak at the end of February, coinciding with the first confirmed COVID-19 death in the country, and hit its highest point by mid-March, coinciding with the announced international travel ban. The last half of March saw a significant decrease in themed attacks. Telemetry from April and May shows themed attacks leveling off between 20,000 and 30,000 daily attacks. The same pattern of themed attacks mirroring the development of the outbreak and local concern likely played out at the state level, too.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the United States

Figure 7. Trend of COVID-19 themed attacks in the United States showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Sample COVID-19 themed lure

Figure 8. Sample COVID-19 themed lures in attacks seen in the US

Conclusions

The COVID-19 outbreak has truly been a global event. Cybercriminals have taken advantage of the crisis to lure new victims using existing malware threats. In examining the telemetry, these attacks appear to be highly correlated to local interest and news.

Overall, COVID-19 themed attacks are just a small percentage of the overall threats the Microsoft has observed over the last four months. There was a global spike of themed attacks cumulating in the first two weeks of March. Based on the overall trend of attacks it appears that the themed attacks were at the cost of other attacks in the threat environment.

These last four months have seen a lot of focus on the outbreak – both virus and cyber. The lessons we draw from Microsoft’s observations are:

  • Cybercriminals adapt their tactics to take advantage of local events that are likely to lure the most victims to their schemes. Those lures change quickly and fluidly while the underlying malware threats remain.
  • Defender investment is best placed in cross-domain signal analysis, update deployment, and user education. These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward.
  • Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.

To help organizations stay protected from the opportunistic, quickly evolving threats we saw during the outbreak, as well as the much larger total volume of threats, Microsoft Threat Protection (MTP) provides cross-domain visibility. It delivers coordinated defense by orchestrating protection, detection, and response across endpoints, identities, email, and apps.

Organizations should further improve security posture by educating end users about spotting phishing and social engineering attacks and practicing credential hygiene. Organizations can use Microsoft Secure Score to assesses and measure security posture and apply recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

 

The post Exploiting a crisis: How cybercriminals behaved during the outbreak appeared first on Microsoft Security.

Microsoft shares new threat intelligence, security guidance during global crisis

April 8th, 2020 No comments

Ready or not, much of the world was thrust into working from home, which means more people and devices are now accessing sensitive corporate data across home networks. Defenders are working round the clock to secure endpoints and ensure the fidelity of not only those endpoints, but also identities, email, and applications, as people are using whatever device they need to get work done. This isn’t something anyone, including our security professionals, were given time to prepare for, yet many customers have been thrust into a new environment and challenged to respond quickly. Microsoft is here to help lighten the load on defenders, offer guidance on what to prioritize to keep your workforce secure, and share resources about the built-in protections of our products.

Attackers are capitalizing on fear. We’re watching them. We’re pushing back.

Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time. It’s overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That’s why we’re seeing an increase in the success of phishing and social engineering attacks. Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout. This is where intelligent solutions that can monitor for malicious activity across – that’s the key word – emails, identities, endpoints, and applications with built-in automation to proactively protect, detect, respond to, and prevent these types of attacks from being successful will help us fight this battle against opportunistic attackers.

Our threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:

  • Every country in the world has seen at least one COVID-19 themed attack (see map below). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.
  • The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).
  • Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.
  • While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here’s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:

Comparison of malicious emails used in malware campaigns before the crisis and during

  • In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. This again shows us that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods, but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.
  • Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.
  • Several advanced persistent threat and nation-state actors have been observed targeting healthcare organizations and using COVID-19-themed lures in their campaigns. We continue to identify, track, and build proactive protections against these threats in all of our security products. When customers are affected by these attacks, Microsoft notifies the customer directly to help speed up investigations. We also report malicious COVID-19-themed domains and URLs to the proper authorities so that they can be taken down, and where possible, the individuals behind them prosecuted.

Map showing global impact of COVID-19-themed-attacks

Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)

From endpoints and identities to the cloud, we have you covered

While phishing email is a common attack vector, it’s only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. An attacker’s primary goal is to gain entry and expand across domains so they can persist in an organization and lie in wait to steal or encrypt as much sensitive information as they can to reap the biggest payout. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.

During this trying time, we want to remind our customers what protections you have built into our products and offer guidance for what to prioritize:

  • Protect endpoints with Microsoft Defender ATP, which covers licensed users for up to five concurrent devices that can be easily onboarded at any time. Microsoft Defender ATP monitors threats from across platforms, including macOS. Our tech community post includes additional guidance, best practices, onboarding, and licensing information.
  • Enable multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect identities. This is more important than ever to mitigate credential compromise as users work from home. We recommend connecting all apps to Azure AD for single sign-on – from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners. Microsoft also offers a free Azure AD service for single sign-on, including MFA using the Microsoft Authenticator app.
  • Safeguard inboxes and email accounts with Office 365 ATP, Microsoft’s cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and malicious URLs. Intelligent recommendations from Security Policy Advisor can help reduce macro attack surface, and the Office Cloud Policy Service can help you implement security baselines.
  • Microsoft Cloud App Security can help protect against shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.

Microsoft Threat Protection correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.

Azure Sentinel is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a threat hunting notebook developed to hunt for COVID-19 related threats in Azure Sentinel.

Cloud-delivered protections are a critical part of staying up to date with the latest security updates and patches. If you don’t already have them turned on, we highly recommend it. We also offer advanced hunting through both Microsoft Threat Protection and Azure Sentinel.

We’ll keep sharing and protecting – stay tuned, stay safe

Remember that we at Microsoft are 3,500 defenders strong. We’re very actively monitoring the threat landscape, we’re here to help: we’re providing resources, guidance, and for dire cases we have support available from services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

All of our guidance related to COVID-19 is and will be posted here. We will continue to share updates across channels to keep you informed. Please stay safe, stay connected, stay informed.

THANK YOU to our defenders who are working tirelessly to keep us secure and connected during this pandemic.

 

 

-Rob and all of us from across Microsoft security

 

 

To stay up to date with verified information on the COVID-19 crisis, the following sites are available:

 

The post Microsoft shares new threat intelligence, security guidance during global crisis appeared first on Microsoft Security.