NCSC Cyber Threat Trends Report: Analysis of Attacks Across UK Industries

The United Kingdom’s National Cyber Security Centre (NCSC) recently released their Incident trends report (October 2018 – April 2019) which highlights some of the trends seen across various UK government entities, organizations, and sectors. This is a pretty cool supplemental report from the NCSC (also a first, if I’m not mistaken?) that builds on top of the Weekly Threat Reports the organization releases, you guessed it, every week.

Threat Intelligence Trend Analysis

Trend analysis is an important topic within threat intelligence: Forecasting where things are headed, whether they’re getting better, worse, different, and where we should be focusing our precious security dollars. I previously wrote a blog detailing the FBI’s annual IC3 report, and though there are obvious differences in the two organizations, I think it’s important to see how government entities are responding to every day cyber threats and the trends that emerge from those responses.

Let’s dig into it!

Office 365: More than just email

The first thing the NCSC chose to highlight in their report was the observed attacks against Office 365, Microsoft’s cloud services suite. According to Microsoft, there are over 155 million Office 365 business users as of 2018, a massive attack surface for a single service. When you combine that with the fact that passwords get reused all the time—maybe even for Active Directory integration (O365 makes this easy for Windows users for obvious reasons)—it’s no wonder threat actors see it as an appealing target.

Figure 1: User looking to purchase Office 365 accounts in bulk. Source: Digital Shadows

The NCSC rightfully points out that because these services are cloud-based, and therefore accessible via the open Internet, attacks can be carried out at a much higher scale across the globe than previous on-premises infrastructure services allowed. Accessibility, in this case, puts defenders on their heels. The techniques observed being used are common ones as well: The NCSC highlights password spraying and credential stuffing as the main two attacks against Office 365 logins. As we highlighted in our team’s blog on the Account Takeover Kill Chain, credential stuffing is just one stage in the overall attack cycle against a service like Office 365.

As you’d imagine, one of the common goals of these attacks appeared to be attempting to steal data in the form of intellectual property or conduct ongoing espionage activity (and potentially other types of information gathering). This is the go-to goal that people think of, probably because it’s the easiest thing to wrap your head around: “Someone is trying to access my email service so they must want to know what I’m talking about”. However, using a compromised email account can lead to stronger phishing schemes due to that internal email account being a trusted contact. For instance, a common initial mitigation against phishing attacks is to plainly identify external emails to internal users (see Figure below).

Figure 2: The “[EXT]” and “Message origination” tags can be added in the administrative Office 365 security settings.

But what if the phishing email was sent using an internal account with your company’s domain in the sender address? This effectively gets around that initial blocker and even adds more perceived legitimacy to the phish.

Additionally, even though we’re talking about a cloud service that’s not technically a part of your infrastructure, the compromised account for a service like Office 365 can lead to actual network intrusions. The NCSC has observed this scenario with VPN accesses. Users or administrators may set a VPN login to match that of the internal Active Directory, or another service to make it more convenient remembering a new set of credentials. Password reuse is an all too common technique used by attackers to get access to specific services.

Ransomware trends: Encrypting data one BitPaymer at a time

Ransomware isn’t going away. Seemingly every day, there’s a new report that a small municipality in the United States has been hit, with demands reaching the millions of dollars. The UK isn’t immune to this either. As the NCSC report points out, Ryuk, LockerGoga, and BitPaymer have all been fairly prevalent over the time period. Additionally, the Emotet, TrickBot, and Dridex botnets have all been seen being used as delivering ransomware once installed on the machines. If there was any doubt that botnets aren’t being used for MUCH more than denial of service attacks, rethink your assumptions.

As a follow up in the timeline to the report (which covers up to April 2019), we’ve seen the fall of GandCrab, the über-popular ransomware-as-a-service, which apparently closed down operations after operators allegedly acquired over $2 billion in extortion payments from victims. Since then, there’s been new players to enter the arena: Sodinokibi and Nemty.

Sodinokibi/Sodin/REvil has already made a significant name for itself, initially exploiting CVE-2019-2725, an Oracle WebLogic Server vulnerability. Most recently, the variant was observed being delivered via fake Q&A overlay pages on compromised WordPress websites. It’s also been theorized that Sodinokibi was created by the GandCrab authors as a follow up variant. Could this be the next billion-dollar ransomware?

Supply chains: Ties that Blind Us

TWO Star Wars references in one blog?! Who let me get away with this?

Just as the Death Star was ultimately brought down by a data leakage from within the Empire’s supply chain (THREE?!), the risks posed by attacks against supply chains continue to occur to this day (and in this galaxy). Supply chains are being attacked by nation-state threat actors such as APT10, as well as cybercriminals looking to monetize their attacks, like the operators of GandCrab. It’s important that supply chain partners are evaluated and held to the same security standards as the companies themselves. That partner’s access may make them an attractive target.

How to Mitigate Against These Top Threats

The NCSC has a few recommendations for how to mitigate against all of the threats that they outline in their report. These are all known mitigations, but good to recap here and assess whether they could be used to help protect your organization:

Office 365 attacks:

• Use multi-factor authentication to prevent against account takeovers. Check out Photon Research Team’s most recent report “Two Factor in Review” for more details on implementing a 2FA solution for your business.
• Disable legacy authentication protocols from accessing the service.
• Log the accesses!
• Take a look at the NCSC’s blog on hardening Office 365.

Ransomware infections:

• Prevent unwanted phishing emails from reaching end users (check out our Security Practitioner’s Guide to Email Spoofing and Risk Reduction).
• Segregate your networks to prevent the lateral movement of ransomware across your network. The NCSC has a guide on preventing lateral movement that can be used as a great kickstart.
• Your. Critical. Data. Seriously. And secure those backups against ransomware that could target exposed backups!

Supply chain risks:

• Ask the important security-related questions to your vendors and providers. Check out NCSC’s comprehensive guide on securing your supply chain and reducing your company’s overall risk.
• Enable a secure way (VPN, for example) to allow remote admins from third parties to access internal networks.
• Understand where your critical assets are and keep an inventory. Knowledge is half the battle!

If you’re a threat intelligence geek like me, make sure to subscribe to our email list below so you can get more cyber threat trends and updates like these.