Hackers are turning their attention to cloud services, warns Microsoft
Microsoft's latest Security Intelligence Report claims a tripling in attacks against cloud user accounts
Attacks on cloud accounts - perhaps not surprisingly - are accelerating, according to Microsoft's latest Security Intelligence Report (PDF), with a tripling of attacks aimed at users' accounts and login credentials during 2017 compared to just a year earlier.
And accounts are being compromised as a "result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services", according to the report, which focuses on attacks in the first quarter.
"The number of Microsoft account sign-ins attempted from malicious IP addresses has increased by 44 per cent from the first quarter of 2016 to the first quarter of 2017. Security policy based on risk-based conditional access, including comparing the requesting device's IP address to a set of known ‘trusted IP addresses' or ‘trusted devices', may help reduce risk of credential abuse and misuse," the report added.
On the one hand, while more and more accounts and credentials have been cracked and spilled online - enabling attackers to try the same user name/password logins in brute force attacks on other accounts - Microsoft has also installed automated systems that can detect and, indeed, block millions of password attacks every day.
"When an attacker is observed using a valid credential, the request is challenged and the user is required to provide additional validation in order to sign in. Attackers, for their part, can be sophisticated and skilled at mimicking real users, making the task of safeguarding accounts a constantly evolving challenge."
A number of technologies can be installed to minimise such risks.
For organisations moving to the cloud, though, the security risks are paramount. "In a cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of one or more virtual machines," warns the report.
"The attacker can then use these virtual machines to launch attacks, including brute force attacks against other virtual machines, spam campaigns that can be used for email phishing attacks, reconnaissance such as port scanning to identify new attack targets, and other malicious activities."
In addition to the obvious risks and costs, the compromised organisation also ends up paying for the bandwidth and services exploited by the attackers.
According to Microsoft, incoming attacks detected by its Azure Security Centre point to the US and China as the biggest source of attacks, accounting for two-thirds of incoming attacks, with South Korea not far behind.
However, in terms of outgoing communications to malicious IP addresses, China is way out in front, accounting for nine out of ten of the malicious IP addresses contacted by compromised Azure virtual machines, followed by the US with 4.2 per cent.
Russia, perhaps surprisingly, is no worse than the UK, France or Australia, but does feature highly in terms of the number of drive-by download web pages, behind Taiwan and Iran.
While this year has seen major ransomware and other destructive malware outbreaks affecting organisations like the NHS and multinational businesses, Eastern Europe appears to be most affected by such attacks. Users in the Czech Republic, Hungary, Romania and Croatia, along with Italy and Spain, have the highest "encounter rates" with ransomware.
"Attacks on Cloud providers is the easy way into Hybrid Cloud enterprises who are struggling with the complexity of controlling security across all domains and security vendors. Just relying on the encryption from your SD-WAN vendor does not assure the journey," warned James Clegg, vice president of EMEA at security company FireMon.
Microsoft provided a brief, four-point list for individuals and organisations to follow in order to minimise their risks. These were:
- Reduce risk of credential compromise by educating users on why they should avoid simple passwords, enforcing multi-factor authentication and applying alternative authentication methods;
- Enforce security policies that control access to sensitive data and limit corporate network access to appropriate users, locations, devices, and operating systems;
- Do not work in public Wi-Fi hotspots where attackers could eavesdrop on your communications, capture logins and passwords, and access your personal data;
- Regularly update your OS and other software to ensure the latest patches are installed.