Microsoft Warns Of 'Devastating' Cybersecurity Threat To Windows Users: Here's What You Need To Know

By Explorer -
Microsoft's threat protection intelligence team has warned of a "significant and growing" cybersecurity threat that can deliver a devastating payload. The FBI has warned about how high impact a threat ransomware is, and now Microsoft is adding to the voices of vigilance. While ransomware threats such as the newly discovered strain of NetWalker that can inject malicious code right into the Windows 10 explorer executable process are bad enough, they are but the tip of a very worrying cyber-iceberg. The Microsoft threat protection intelligence team has described in comprehensive detail how one type of ransomware attack poses a significant and growing threat, particularly to business users, calling it one of the "most impactful trends in cyberattacks" that we face today. The good news is that despite being able to deploy what Microsoft refers to as devastating payloads, the attacks and the fallout that follows are preventable.

All ransomware is not the same

The critical message to digest from the Microsoft deep dive into this threat is that not all ransomware is the same. The automated, bot-driven worm-like ransomware that spits out across the interwebs like a cyber-blunderbuss is damaging enough, for sure. However, the Microsoft threat protection intelligence team is warning about the type of hands-on, human-operated, highly targeted threat that is more commonly associated with the credential-stealing and data exfiltration antics of nation-state actors. Indeed, there is a similarity beyond the targeting; some of these ransomware attack methodologies have evolved to exfiltrate as well as encrypt data. DoppelPaymer, which recently hit the headlines when I reported how Lockheed Martin, SpaceX and Tesla had all been caught in the crossfire of one cyber-attack on a business in their supply chains, is an excellent example of the breed. More of that in a moment, though. First, let's look at the attack tactics and techniques Microsoft is alerting users to.

Human-operated ransomware attack tactics

Just like your nation-state, advanced persistent threat (APT) attackers, human-operated ransomware will target particular victims. The cybercriminals behind these attacks will already know plenty about you, by reconnaissance involving probing networks for common security misconfiguration errors or using open-source intelligence (OSINT) methodologies to glean publicly available data that can be useful in the social engineering side of such attacks. "These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads," Microsoft said in the report, but it doesn't stop there. If a human attacker can see other opportunities before them, then further malicious payloads will be dropped, credentials stolen and data exfiltrated. 
The Microsoft researchers found that these ransomware campaigns do not bother too much with a stealthy approach; if they can get into your networks, then they operate without worrying about covering their tracks. Perhaps even more surprising to many, will be that the attacks themselves start in an unsophisticated manner, employing commodity malware and using vectors that routinely trigger detection alerts in business systems. They don't care because the warnings are low level, with security teams determining them to be of little importance and so get left uninvestigated in a timely fashion, if at all. This opens the attack window for long enough to enable the attacker to jump right through it. Even if a common payload gets intercepted by the security solution in place, the attack will simply try others until one sneaks through the defenses. They will even, having got admin status on a system, disable antivirus protection to enable relatively unfettered payload action. 

The DoppelPaymer threat in more detail

Microsoft warns that DoppelPaymer threat actors have "caused havoc" in several attacks, with ransoms reaching into millions of dollars territory in some cases. Spread by human-operators, within compromised networks, and within an attack framework involving other malicious software such as banking Trojans (Dridex is often found on machines compromised by DoppelPaymer) shows the level of unfettered confidence these cybercriminals have. "The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access," Microsoft said. While Microsoft Defender ATP generates alerts for myriad activities as a result of these attacks, if the affected network segments are not actively monitored, these do not get the response they demand. Because DoppelPaymer attacks tend not to "fully infect" the networks they compromise, but rather only a subset of machines with the malware and then a further subset with data encryption and exfiltration, there's even more chance of them going unnoticed. The big difference between this type of ransomware and the more "traditional" file-encryptors we are used to, is that DoppelPaymer and its ilk will also exfiltrate data to use as ransom leverage. As was the case in the Visser Precision attack, the criminals will happily release data into the public domain, usually on cybercrime forums, to persuade the victim they are serious. If ransoms are still not paid, the criminals have data that can then be sold on those markets so that they still successfully monetize the attack.

Mitigating against the human-operated ransomware threat

So, what does Microsoft recommend you do to protect your systems, and your data, from these human-operated ransomware attackers? Apply the basics of good security, would be the simple yet obvious answer. "The top recommendations for mitigating ransomware and other human-operated campaigns," Microsoft said, "are to practice credential hygiene and stop unnecessary communication between endpoints." This removes the lateral movement ability of the attackers and can reduce the impact of any attack. 
I would recommend you read the full Microsoft threat protection intelligence team report to understand the mitigating tactics to be applied fully. A brief recap, however, includes the following:
Use attack surface reduction rules, turn on tamper protection, use the Windows Defender Firewall and harden all internet-facing assets.

Source: https://www.forbes.com/sites/daveywinder/2020/03/06/microsoft-warns-of-devastating-cybersecurity-threat-to-windows-users-heres-what-you-need-to-know/#7c4bb5211af8

Comments

Post a Comment

Popular posts from this blog

How a cyber attack hampered Hong Kong protesters

By Explorer -
Image
Massive public protests taking place in Hong Kong over the past week are aimed at a new extradition law, known as the Fugitive Offenders Ordinance , that would see accused criminals extradited to mainland China to face prosecution. Hongkongers feel the law could be used to legalise the kidnapping of people who express views, and act in ways, that are not popular with the Chinese government . The same law could also be used to extradite tourists and visitors to China who are arrested on suspicion of having committed these crimes. Protesters want the bill scrapped. For now, debate of the legislation has been postponed . Organisers say one million people turned out for the protests, while police estimate the number was around 240,000. Either way, it was a significant number of Hong Kong’s 7.5 million population. Commentators on Twitter remarked on how well organised the protesters were. So, how did they do it? Protesters across the world are using n
Read more

‘Not Hospital, Al-Shifa is Hamas Hideout & HQ in Gaza’: Israel Releases ‘Terrorists’ Confessions’ | Exclusive

By Explorer -
 According to a video of interrogation of "Hamas terrorists" released by Israel Security Agency Shin Bet, accessed exclusively by News18, "The Shifa hospital has been made with many considerations as Hamas knew that medical places won’t be attacked by the enemy. Equipment, explosives and other material has been kept there." Hamas is using hospitals in Gaza as covers and have turned them into ammunition depots, according to a video of interrogation of “Hamas terrorists" released by  Israel Security Agency  Shin Bet, accessed exclusively by News18. ALSO READ | Israel-Hamas War LIVE Updates  HERE The Israeli military has claimed that those featuring in the video released on Saturday are Hamas terrorists, who participated in the  October 7 attack  on Israel. “Most of the tunnels are hidden in hospitals. There are multiple underground levels. Al-Shifa Hospital is not small, it is a big place that can be used to hide things," a man is seen saying. “The Al-Shifa
Read more

Islam Has Massacred Over 669+ Million Non-Muslims Since 622AD

By Explorer -
Image
In fact, no ideology has been as genocidal as Islam… Islam has killed more than 5 times the number of people killed by communism. In the total numbers we have updated over 80 million Christians killed by Muslims in 500 years in the Balkan states, Hungary, Ukraine, Russia. Then we have India. The official estimate number of Muslim slaughters of Hindus is 80 million. However, Muslim historian Firistha (b. 1570) wrote (in either Tarikh-i Firishta or  the Gulshan-i Ibrahim) that Muslims slaughtered over 400 million Hindus up to the peak of Islamic rule of India, bringing the Hindu population down from 600 mil to 200 million at the time. With these new additions the Muslim genocide of non-Muslims since the birth of Mohammed would be  over 669 million murders. Islam: The Religion of Genocide Perspective:   Think the Spanish inquisition was bad? More people are killed by Islamists each year than in all 350 years of the Spanish Inquisition* combined. The Spanish inquisition ( Tribunal del Sant
Read more