Cybercriminals have always adapted their tactics, techniques and procedures (TTPs) to achieve their objectives while evading detection. It’s well known that cyber security is effectively an arms race between threat actors, who have always been one or two steps ahead, and defenders who are continually playing catch-up.
With its team of 10,000 security and threat intelligence analysts, Microsoft tracks over 300 unique threat actors including 160 nation-state actors and 50 ransomware groups. Every October it publishes its Digital Defense Report, and this year’s edition describes the changing behaviours of cybercriminals between July 2022 and June 2023.
Microsoft emphasises that “last year marked a significant shift in cybercriminal tactics”, explaining that cybercrime-as-a-service and manual (hands-on-keyboard) attacks were the two main upward trends for threat actors. Also on the rise are business email compromise (BEC), the use of remote encryption during attacks, and data extortion.
According to Microsoft the top four attack types are:
- Identity attacks – 42%
- Ransomware – 29%
- Phishing attempts – 25%
- BEC – 4%.
Poor password management, especially in certain sectors like education, has led to instances of password attacks rising enormously. According to data from Microsoft Entra, this number now stands at a staggering 4,000 per second on Microsoft cloud identities, or 3 billion per month.
Ransomware and extortion attacks on the rise but are defendable
Human-operated ransomware attacks rose by over 200% since September 2022 and 70% of their targets were organisations with fewer than 500 employees. However, there’s clearly a lot more that business can do to defend themselves because more than 80% of all successful ransomware compromises came through unmanaged devices.
During human-operated ransomware attacks, cybercriminals increasingly use remote encryption – where file encryption is performed on a different system on the network – to minimise the chances of being caught. This method was employed in 60% of such attacks.
On a positive note, only 2% of attacks progressed to a successful ransomware deployment for “organisations with a strong security posture”. More good news is that ransomware attacks reached a peak during March-April 2023 and have decreased since then.
Phishing tactics evolving but still focus on human factors
While industry analysts have observed new types of cyber-attacks, phishing remains popular. It’s also evolved over time but the fundamentals remain the same. Over 90% of phishing emails use social engineering tactics – but these tactics have become more sophisticated, with the use of genuine websites and services to trick visitors.
Microsoft’s report focuses on Adversary in the Middle (AitM)-style attacks which are used to obtain credentials, cookies, personal data and to distribute malware. Microsoft first saw high-volume AitM phishing campaigns in September 2021 and now detects them every day. In some cases they see hundreds of millions of phishing emails sent in a 24-hour window.
Business email compromise increasing
It’s a similar story with BEC attacks, which rose in number to 156,000 attacks every day in the year to April 2023. In fact, BEC attacks are now categorised into different types including Direct Email Compromise (DEC), Vendor Email Compromise (VEC), False Invoice Scam, and Attorney Impersonation.
They have also become more sophisticated, with criminal gang members taking different roles in BEC attacks, such as coordinator, email broker, infrastructure admin, email operator, and money launderer.
The success of these attacks, says the report, is “largely due to the growing targeting of cloud-based infrastructure, exploitation of trusted business relationships, and development of more specialised skills by the threat actors”.
Distributed denial-of-service attacks
Although distributed denial-of-service (DDOS) attacks declined steadily through 2022, they rose again to their peak in mid-2023. One of the main challenges in this area is the creation of DDoS-for-hire service platforms. Law enforcement agencies are tackling the problem and have disrupted several sites and taken legal action against some of the criminals behind them.
Learn more about cyber threats
Quorum Cyber regularly publishes advice and updates on the latest threats. You can find our threat intelligence bulletins, malware reports and threat actor profiles on our website. And, of course, if you believe you’re experiencing a cyber-attack, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.
Join our Threat Intelligence webinar series
Quorum Cyber’s Lead Cyber Threat Intelligence Analyst Jack Alexander and is hosting a free webinar series about his field of expertise, ‘Quorum Cyber Threat Intelligence Outlook 2024’. Register today.
You can watch his previous talks, ‘Ransomware Groups: New Techniques, Targets and Trends’ and the ‘Evolution of the ‘Big Four’ and the threats they pose in cyber space’ on Quorum Cyber’s Vimeo site.