Microsoft Report: User Account Attacks Jumped 300% Since 2016
Microsoft researchers detected a 300% increase in user accounts attacked over the past year, and 44% growth in the number of account sign-ins attempted from malicious IP addresses.
The data comes from Microsoft’s latest Security Intelligence Report (SIR) released today with data from Q1 2017, and discusses vulnerabilities, exploits, malware, and unwanted software. Intelligence comes from billions of security signals Microsoft processes in its consumer and enterprise services each month.
This report represents a couple of changes from the usual SIR. Data is split into two categories, cloud and endpoint, and represents a shorter timeframe of one financial quarter compared with the usual six-month window. Microsoft says it plans to share data on a more regular basis.
Account compromise and cloud weaponization
With respect to the 300% jump in user account attacks, most were the result of weak, guessable passwords, followed by targeted phishing attacks and breaches of third-party services. As more sites are breached and passwords stolen, more attackers will attempt to reuse victims’ credentials on multiple websites.
The 44% spike in sign-in attempts from malicious IP addresses could be reduced with security policies focused on risk-based conditional access. Researchers suggest comparing requesting devices’ IP addresses to a set of known IP addresses and trusted devices.
Attackers frequently compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning.
More than two-thirds of incoming attacks on Azure services came from IP addresses in China and the United States, at 35.1% and 32.5%, respectively. More than 89% of malicious IP addresses contacted by compromised Azure virtual machines were located in China; only 4.2% were located in the US.
Key business challenges in protecting against cloud attacks include mitigating unauthorized access to cloud accounts, and preventing attackers from using the cloud to gain a foothold, says Microsoft.
Global growth of ransomware
Ransomware attacks disproportionately hit customers in Europe compared with the rest of the world. In March 2017, targets included the Czech Republic (0.17%), Italy (0.14%), Hungary (0.14%), Spain (0.14%), Romania (0.13%), Croatia (0.13%), and Greece (0.12%), all of which had above-average ransomware rates for the month.
“Attackers evaluate several factors when determining what regions to target, including country GDP, average age of computer users and Bitcoin or available method of payment, among others,” a Microsoft spokesperson said.
Ransomware overall is growing, as indicated by respondents in the Dark Reading Strategic Security Survey. Twenty-three respondents reported falling victim to ransomware, a slight uptick from 20% the year prior.
Sites targeting online services made up the largest number of active phishing URLs during 1Q17. Those targeting financial institutions accounted for the second-largest share of attacks in Q1 and largest share of impressions for both February and March.
On a geographical level, countries hosting higher-than-average concentrations of phishing websites included Ukraine (13.2 per 1,000 hosts in March), South Africa (10.3), Indonesia (9.6), and Denmark (9.7). Regions with low concentrations included China (0.6), Taiwan (0.6), Korea (0.7), and Mexico (1.2).
A phishing study from Imperva discovered most attackers don’t hesitate to click links or open documents. Most neglect to use sandboxes or anonymity services to cover their tracks, giving outsiders the ability to track them.
Malware impressions were more common than phishing impressions during Q1. There were 381 malware impressions per 1M pageviews in March, compared with 13.0 phishing attempts for the same amount of pageviews. Malware primarily affected Hungary, Egypt, and Indonesia.
China, which had a comparatively low concentration of phishing sites, had one of the highest levels of malware hosts, with 45.9 malware hosting websites per 1,000 hosts. Other hotspots for malware hosting included Singapore (21.6), Ukraine (19), and Hong Kong (18.9).
Source | Dark Reading