Every country in the world experienced at least one COVID-19 themed attack.
The global events of the past 12 months have brought unprecedented change to the physical and digital worlds. Cybercrime, however, is a constant.
According to Microsoft’s latest annual cybercrime report, cybercriminals continue—and sometimes escalate—their activity in times of crisis. Defending against cybercriminals is a complex, ever evolving, and never-ending challenge.
The Microsoft Digital Defense Report is a reimagining of Microsoft’s Security Intelligence Report (SIR), first published in 2005. This year’s report shows 2020 has brought major disruptions to both the physical and digital worlds, and these changes are also evident in the cyberthreat landscape. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels.
Change brings opportunity, for both attackers and defenders, and this report will focus on the threats that are most novel and relevant to the community in this moment.
Looking at the data and signals from the cross-company teams, three top-level areas came into the sharpest focus:
- Nation state threats
- Remote workforce.
The analysis is informed by telemetry from the more than 1.2 billion PCs, servers and IoT devices that accessed Microsoft services, as well as data from 630 billion authentication events, 470 billion emails analysed for threats and over 18 million URLs scanned.
Microsoft telemetry showed that China, the United States, and Russia were hit the hardest, but every country in the world saw at least one COVID-19-themed attack, with the volume of successful attacks in countries experiencing COVID-19 outbreaks increasing, as fear and the desire for information grew.
“Cyberattacks are evolving every day. As the Digital Defense Report notes, cybercriminals are opportunistic and have capitalized on interest and fear related to the COVID-19 pandemic and other disruptive events. They have expanded the way they leverage computers that are infected with malware, adding modules or changing the nature of the attacks for which they leverage them. They have also focused on targeting their ransomware activities toward entities that cannot afford to be offline or without access to records during critical periods of the pandemic, like hospitals and medical research institutions,” said Mary Jo Schrade, assistant general counsel, Microsoft Digital Crimes Unit, Asia. “Concerted efforts from organizations, governments and businesses are key to addressing these wide-ranging online threats.”
Cybercriminals were opportunistic and have switched lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic. Adversaries used worldwide concern over COVID-19 to socially engineer lures around collective anxiety and the flood of information associated with the pandemic.
Nation-states have also shifted targets to align with the evolving political goals in the countries where they originate. COVID-themed attacks targeted prominent governmental healthcare, academic and commercial organizations in an effort to perform reconnaissance on their networks or people. In the past year, 90% of nation-state notifications have been sent to organizations that do not operate critical infrastructure – including non-governmental organizations (NGOs), advocacy groups, human rights organizations, and think tanks.
With ransomware, cybercriminals leverage occasions such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks. They are aware of business needs that will make organizations more willing to pay ransoms than incur downtime, such as during billing cycles in the health, finance, and legal industries – and have exploited the COVID-19 crisis to demand ransom.
With COVID-19 accelerating work-from-home practices, traditional security policies within an organization’s perimeter have become much harder to enforce across a wider network made up of home and other private networks and unmanaged assets in the connectivity path. Cybercriminals are also targeting employees with sophisticated phishing campaigns designed to capture their login credentials. During the first half of 2020, there was an increase in identity-based attacks using brute force on enterprise accounts.
Addressing the threats posed by the human element is fundamental. “Organizations should adopt stronger cyber hygiene practices and tools to safeguard employees and infrastructure. These include adopting multi-factor authentication, using good email hygiene (including limiting or disabling auto-forwarding of emails), timely patching and updating of apps and software, and putting in place network segmentation to keep cybercriminals from easily accessing the entire network if they do gain access,” added Schrade.