They are increasingly working together to share and sell the tools of their trade with the aim of stealing data and extorting money from victims. State-sponsored hackers are being deployed in larger numbers as part of covert wars to help fulfil their masters’ geopolitical aims.

As the world’s largest software company, used by consumers, businesses and governments alike, Microsoft is the number one target of hackers and also quite possibly the biggest source of cybersecurity intelligence. Every day, Microsoft’s Cybersecurity Defence Operations Centre records 24 trillion “signals” that give it an indication as to how its platforms and software products are being used. Sifting through that deluge of data for trends is the key to spotting malicious activity before it becomes widespread and damaging.

But high-profile ransomware and distributed denial of service (DDoS) attacks have hit numerous organisations this year, from the Colonial fuel pipeline in the US to our own Waikato District Health Board, threatening economies and public health in the process. So the question is, in the battle for control of cyberspace – are the hackers winning? 

Cybercriminals now run a sophisticated supply chain of tools and services.

All hope is not lost,” says Mark Anderson, National Security Officer at Microsoft Australia.

Despite the maturing of the hacking industry and the growing sophistication of their methods, two factors were working against cybercriminals – greater awareness of the impacts of cybercrime and governments stepping up to address the threat.

“Now that governments around the world are recognising that cybercrime is a threat to national security, they’re making combating it a top priority, creating cross-government task forces, and bringing out various rules and laws and regulations,” Anderson said last week at a briefing on the Digital Defence Report, which is published annually to give an update on the cyberthreat landscape. 

Anderson points to the Australian Government’s move to introduce specific legislation targeting ransomware attacks and the associated extortion, as well as new rules requiring medium-sized and large companies to inform the government if they have been the subject of a cyber attack.

“More governments and companies are actually coming forward when they’ve been victims,” says Anderson.

“Victims stories humanise and make clear the consequences of these attacks, drawing attention to the problem and allowing for increased government engagement in that environment.”

The cybercrime supply chain

A striking facet of cybersecurity activity in 2021, says Anderson, was the way cybercriminals had begun organising themselves just like legitimate businesses, creating a supply chain to prove and supply the components needed to mount their attacks.

“Now a buyer in Brazil, for example, can obtain a fishing kit from a seller in Pakistan domains from the United States victim leads from Nigeria and proxies from Romania,” Anderson says.

A ransomware kit was on offer for as little as US$60 or on a commission basis, with the requirement to share 30% of any ill-gotten gains that resulted from its use. A whole industry sector had sprung up around covering cybercriminals’ tracks.

The market on the dark web for compromised credentials was thriving, with batches of stolen credentials on offer for as little as US$1 – $50, depending on the perceived value of the targets.

Victim target packages could also now be purchased, offering non-technical cybercriminals to identify the companies they wanted to target and receiving a tailored package of email and IP addresses and appropriate tools to exploit them.

“We’re also seeing an increase in the offer of services like back connect proxies,” says Anderson. 

“These are proxies that rotate between mobile, residential and data centres in order to hide the perpetrators’ location. This is in addition to things like remote desktop sessions, virtual private networks, virtual private servers, and a whole host of other anonymising systems that allow cybercrime to operate in the shadows,” he added.

The big three – ransomware, phishing and malware

Ransomware

Microsoft had detected a surge in ransomware attacks across its networks from 50 million detections in mid-2018 to around 100 million by the middle of this year. The practice of infecting computer servers with malware to lock up applications and data, then demanding a cryptocurrency payment for them to be decrypted again, was a big potential earner for hackers.

But while paying a ransom may get your data back, Microsoft was seeing increasing cases of hackers copying the data as well and going on to sell it on the dark web.

“The attackers are now also exfiltrating sensitive data before deploying the lock in the ransomware,” says Anderson.

“If you disengage from the negotiation, the threat is that the actor will then release your sensitive information that they stole before they encrypted your environment.”

It means that a great data backup regime is no longer enough to recover from a ransomware attack. Companies now faced having to manage the impact of having their sensitive data and customer details traded on the black market.

Not a conversation you want to be having. Source: Microsoft

Despite ransomware groups pledging not to attack hospitals during the Covid-19 pandemic, the health sector was proved too irresistible a target for them. 

“Healthcare unfortunately still remains in the top five sectors victimised by ransomware gangs,” says Anderson.

Phishing

Sending emails designed to trick individuals into sharing sensitive data such as usernames and passwords with an attacker was as widespread as ever in 2021. Attackers have become very crafty at disguising emails and notifications to make them look legitimate, sending people via embedded links to websites that also look like the real deal.

The phishing sites frequently also copy legitimate login pages such as those of Office 365, or Google, and this is to trick users to input their credentials,” says Anderson, who adds that the practise makes the use of multi-factor authentication systems all the more important to protect against such attacks.

“Once the user inputs their credentials, they will be often redirected to the final legitimate website. However, in meantime, their credentials will have been stolen and then pushed off down line either for the attacker to use.”

The phishing specialists weren’t beyond a bit of double-crossing either. Microsoft’s researchers were seeing the rise of phishing kits purchased by hackers that secretly sent the stolen credentials not just to the hacker but the creator of the kit as well.

Malware

The core discipline of cybercrime – writing code to exploit weaknesses in software or server technology was evolving and expanding, often using phishing techniques to get the malware into a position to do its work.

Microsoft’s Mark Anderson

Anderson says malware variants such as Agent Tesla, IcedID and TrickBot used email as their delivery mechanism. However, Microsoft noted a downward trend in email-borne malware between 2020 and 2021, suggesting hackers were using other channels to deliver their malicious payload. 

“When using attachments as a delivery mechanism, attackers tend to deploy macros inside documents that when enabled by the recipient go away and download malware in the background without the user’s knowledge,” says Anderson.

While many cybersecurity software vendors have lasered in on macros as a threat, malware designers have a new tactic of attempting to avoid detection.

One of the most common methods of malware delivery that we’ve observed in the past year was through password-protected archive files,” says Anderson. 

“These emails contain archive files such as zip attachments that are password protected. This is the order to prevent the security technologies from inspecting those packages, and then going away and detonating them.” 

Fighting back

Aside from the zero-trust approach Microsoft and other security software vendors advocate, and considering cybersecurity as an issue as serious as one other affecting the business, Anderson says we need another focus area in the cybersecurity space – digital empathy.

“Digital empathy involves thinking about the ways in which people behave and engaging with technology,” says Anderson 

“You know, ultimately, empathy is not just for person-to-person interaction. But by applying empathy in a digital solution, we can make these solutions more inclusive.”

Adds Anderson: “It also means that developing technology that will forgive mistakes by users, I think digital empathy will ultimately be critical how we move forward as an industry, whether it’s at an organization level or an individual level.”

Download Microsoft’s Digital Defence Report 2021 here.