MICROSOFT HAS WARNED THAT HACKERS are increasingly targeting users’ cloud credentials, with the number of attacks tripling in the first quarter of 2017.
Microsoft’s latest Security Intelligence Report (PDF) also reveals that, perhaps unsurprisingly, accounts are being compromised as a “result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services”.
“The number of Microsoft account sign-ins attempted from malicious IP addresses has increased by 44 per cent from the first quarter of 2016 to the first quarter of 2017. Security policy based on risk-based conditional access, including comparing the requesting device’s IP address to a set of known ‘trusted IP addresses’ or ‘trusted devices’, may help reduce risk of credential abuse and misuse,” the report added.
On the one hand, while more and more accounts and credentials have been cracked and spilled online – enabling attackers to try the same user name/password logins in brute force attacks on other accounts – Microsoft has also installed automated systems that can detect and, indeed, block millions of password attacks every day.
“When an attacker is observed using a valid credential, the request is challenged and the user is required to provide additional validation in order to sign in. Attackers, for their part, can be sophisticated and skilled at mimicking real users, making the task of safeguarding accounts a constantly evolving challenge.”
A number of technologies can be installed to minimise such risks, but for organisations moving to the cloud, the security risks are paramount.
“In a cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of one or more virtual machines,” warns the report.
“The attacker can then use these virtual machines to launch attacks, including brute force attacks against other virtual machines, spam campaigns that can be used for email phishing attacks, reconnaissance such as port scanning to identify new attack targets, and other malicious activities.”
In addition to the obvious risks and costs, the compromised organisation also ends up paying for the bandwidth and services exploited by the attackers.
According to Microsoft, incoming attacks detected by its Azure Security Centre point to the US and China as the biggest source of attacks, accounting for two-thirds of incoming attacks, with South Korea not far behind.
However, in terms of outgoing communications to malicious IP addresses, China is way out in front, accounting for nine out of ten of the malicious IP addresses contacted by compromised Azure virtual machines, followed by the US with 4.2 per cent.
Russia, perhaps surprisingly, is no worse than the UK, France or Australia, but does feature highly in terms of the number of drive-by download web pages, behind Taiwan and Iran.
While this year has seen major ransomware and other destructive malware outbreaks affecting organisations like the NHS and multinational businesses, Eastern Europe appears to be most affected by such attacks. Users in the Czech Republic, Hungary, Romania and Croatia, along with Italy and Spain, have the highest “encounter rates” with ransomware.