Nation-state groups are becoming a more dangerous threat as they increasingly target critical infrastructures and rapidly leverage zero-day vulnerabilities, according to new Microsoft research.
The tech giant published the Microsoft Digital Defense Report 2022 Friday which highlighted Russia, China, Iran, and North Korea as the primary nation-state threat groups it has observed targeting Microsoft customers over the past year. While the report showed an increase in attacks coinciding with Russia's invasion of Ukraine and NATO allies, Microsoft emphasized it saw increased activity from nation-state actors even outside of the conflict.
More significantly, Microsoft discovered those actors "have begun using advancements in automation, cloud infrastructure and remote access technologies to attack a wider set of targets." That includes more sophisticated evasion techniques, a shift to targeting the IT services supply chain and improved tactics to leverage zero-day vulnerabilities before they are publicly disclosed, and patches are available.
For example, in September, Microsoft confirmed that two unpatched zero days were being actively exploited again in attacks against its Exchange Server software.
"While zero-day vulnerability attacks tend to initially target a limited set of organizations, they are quickly adopted into the larger threat actor ecosystem," Microsoft wrote in the report. "This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches."
China collecting zero days
In an accompanying blog post, Tom Burt, corporate vice president of customer security and trust at Microsoft, attributed many of the recent zero day attacks to China. Burt said such attacks are a direct result of the country's new vulnerability-reporting laws, which were enacted by the Chinese government on September 1, 2021.
The new regulations stated vulnerability information must be submitted to the Ministry of Industry and Information Technology within two days of discovery. Additionally, the new law prohibited researchers and vendors from disclosing vulnerabilities to "overseas organizations or individuals other than network product providers."
"China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others," the blog post read.
One noteworthy example of zero-day exploitation prior to public disclosure occurred in 2021 with the discovery of ProxyLogon, a group of vulnerabilities that affected Microsoft Exchange Server. Hafnium, the Chinese nation-state group, launched a series of zero-day attacks before Microsoft publicly disclosed or released patches for the ProxyLogon flaw that posed a risk to organizations for years.
Another set of Microsoft Exchange Server flaws were reported to the company in June of 2021 by a security researcher known as "Orange Tsai," who also discovered the most serious ProxyLogon bugs. In Tsai's blog post detailing the new attack surface, he noted that "Dlive," a security researcher from Chinese company Tencent Security Xuanwu Lab, independently found and reported the flaws to Microsoft as well. One of the most critical flaws took Microsoft more than one year to publicly disclose and fix, and the reason remains unclear.
Unfortunately, it's not just nation-state groups that are increasingly leveraging zero days. Cyber criminals are too, and reported flaws available for exploit are amassing. Microsoft noted that the number of publicly disclosed zero-day vulnerabilities over the past year matches data from 2021, which was the highest on record. Similarly, in an April blog post, Mandiant Threat Intelligence said it discovered 80 zero-days exploited in the wild in 2021 -- "more than double the previous record volume in 2019."
Microsoft estimated in its report that on average, it only takes 14 days for an exploit to be available in the wild after a vulnerability is publicly disclosed.
"As cyber threat actors -- both nation state and criminal -- become more adept at leveraging these vulnerabilities, we have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," the report read. "This makes it essential that organizations patch exploits immediately."
Nation-state groups pose increasing threat
To gain a perspective on the potential attack scope, Microsoft started sending out nation-state notifications (NSNs) to targeted or compromised customers beginning in 2018. As of June 2022, 67,000 NSNs have been delivered.
Over the past year, Microsoft has observed nation-state groups increasingly targeting critical infrastructures with a focus on companies in the IT sector, financial services, transportation systems and communications infrastructure. Microsoft found that attacks on critical infrastructure compromised 40% of all cyber attacks this year, up from 20% the year before.
Targets differed by country. Unsurprisingly, Microsoft found Russia targeted the Ukrainian government and the country's critical infrastructure to complement its on-the-ground military action, which Microsoft referred to as a "full-scale hybrid conflict." Iran focused on U.S. critical infrastructure, such as port authorities, while North Korea continued to steal cryptocurrency from financial and technological companies. In addition to China's extensive zero-day vulnerability usage, Microsoft found the nation also expanded its global cyberespionage operations.
Additionally, Microsoft found a shift from attacking the software supply chain to exploiting the IT services supply chain, "targeting cloud solutions and managed services providers to reach downstream customers." Cloud adoption and outsourcing to managed service providers has grown in use since the pandemic and a move to remote work, which created additional attack vectors to defend.
"We expect actors to continue to exploit trusted relationships in enterprise supply chains, emphasizing the importance of comprehensive enforcement of authentication rules, diligent patching, and account configuration for remote access infrastructure, and frequent audits of partner relationships to verify authenticity," the report read.
Steps to take
While Microsoft's report illustrated a dangerous threat landscape, the company also offered actionable steps to address such threats, including important lessons learned from the Russian invasion of Ukraine. Because initial Russian attacks targeted on-premises services using data-wiping malware and targeted physical data centers, Microsoft said the best way to protect that data is by moving to the cloud. For example, in February, HermeticWiper was used in DDoS attacks against Ukrainian government websites.
"Connecting the security of these systems to the cloud resulted in early detection and disruption of potentially devastating attacks," the report read.
Microsoft also urged enterprises to eliminate the use of legacy systems and software and to promptly patch and update their existing software. "We observe millions of commercial devices still using vulnerable application version many months after patch release or even years beyond the end of product support," the report said.
After analyzing the top six issues found among customers recovering from attacks, Microsoft emphasized the importance of securing Active Directory infrastructure as well as implementing multifactor authentication and access management controls to improve security posture.