Microsoft Digital Crimes Unit (DCU) – Fight Against Cybercrime
Marja Laitinen Senior Attorney Microsoft Digital Crimes Unit Central and Eastern Europe
Microsoft Confidential
Cybersecurity is a Boardroom-level 71% $3 Trillion Issue of companies admit they estimated cost in economic fell victim to a successful value from cybercrime cyber attack the prior year industry by 2020
556M $400B victims of cybercrime cost of cyberattacks to per year companies each year 160M 140+ Data records compromised Median # of days between from top 8 breaches in 2015 infiltration and detection
Microsoft Confidential Our Unique Approach Our Unique Perspective
300B user authentications each month 1B Windows devices updated 200B emails analyzed for spam and malware
Microsoft Confidential A Layered Growing threats demand a coordinated response:
Approach Cyber Defense Operations Center to Security
Helping to protect our customers, our company, and our world
• Cyber Security Services Engineering • Microsoft Security Response Center • Digital Crimes Unit • Microsoft Threat Intelligence Center • Information Security & Risk Management • Office 365 • Microsoft Azure • Windows & Devices Group
Microsoft Confidential Digital Crimes Unit (DCU)
The Microsoft Digital Crimes Unit is committed to fighting cybercrime around the globe. We use our expertise in data analytics, cyberforensics, and law to strategically partner with public and private organizations, law enforcement, and our customers – to protect the world from digital harm. In our work we focus on protecting vulnerable populations, and fighting malware and reducing digital risk. Protecting The Scheme: Vulnerable • Fraudsters pose online and on phone as tech support from high tech companies Populations including Microsoft Technical Support • A victim is often asked for remote Scams access and charged for unnecessary technical services, and they may lose money, personal information or be exposed to malware • DCU investigates tech fraud cases globally building evidence to take action, and runs Education programs through media, Microsoft Retail Stores, and the Cybercrime Center
www.support.microsoft.com/reportascam
Microsoft Confidential Protecting PhotoDNA has helped detect Vulnerable millions of illegal images online Over 100 organizations use the Populations technology to keep their platforms safe PhotoDNA Illegal images are reported to the National Center for Missing and Exploited Children and other appropriate authorities
Free cloud-based service www.microsoft.com/photodna
Microsoft Confidential Malware DCU identifies targets, Disruptions investigates, and orchestrates global Working with Law Enforcement and partnerships to take action others to disrupt the criminal A Botnet is a network of infrastructure infected computers controlled by a distance by cybercriminals. This allows criminals to control those computers remotely. With a single botnet, cybercriminals can commit billions of illegal acts in a single day.
Microsoft Confidential Trespass to Chattels Botnet Takedowns and Malware Disruption Operations
OPERATION OPERATION OPERATION OPERATION OPERATION OPERATION OPERATION OPERATION OPERATION Conficker Waledac Rustock Kelihos Zeus Nitol Bamital Citadel Sirefef
Feb 2010 Feb 2010 March 2011 Sep 2011 March 2012 Sep 2012 Feb 2013 June 2013 Dec 2013 Microsoft-lead First MS Supported by Partnership Cross-sector Nitol was Bamital hijacked Citadel ZeroAccess model of takedown stakeholders between partnership with introduced in people’s search committed hijacked search industry-wide operation, across industry Microsoft and financial services the supply chain results, took online financial results, taking efforts to proving the sectors security Focused on relied on by victims to fraud victims counter the model of Involved US software disruption Chinese dangerous sites responsible to dangerous threat industry-led and Dutch law vendors because of consumers Takedown in for more than sites efforts enforcement, First operation technical settled with collaboration $500Min losses It cost online Botnet Worm Disconnected70, and CN-CERT with named complexity operator of with Symantec, Coordinated advertisers sending SPAM 000-90,000 defendant malicious proactive disruption with upwards of $2.7 and attempting infected devices SPAM, in average Identity Theft / domain notification and public-private million each to steal from the botnet 192 spam messages SPAM, Bitcoin Financial Fraud cleanup process sector month confidential per compromised Mining, DDoS Malware data and Botnet Worm machine per attacks Spreading, DDoS Advertising Click Identity Theft / Advertising Click passwords sending SPAM minute attacks Fraud Financial Fraud Fraud
OPERATION OPERATION Game over Bladabindi & OPERATION OPERATION OPERATION OPERATION Zeus Jenxcus Caphaw Ramnit Simda Dorkbot
June 2014 June 2014 July 2014 Feb 2015 April 2015 December 2015 GameoverZeus Malware using Caphaw was Malware stealing Theft of Used for (GOZ) was a Dynamic DNS focused on online credential personal Cybercriminal banking Trojan for command. It financial fraud information from information, activities such as involved responsible banking websites. including credential Worked in password and for more than Configured to banking harvesting for partnership with identity theft, $250M in losses hide itself. passwords, as financial fraud LE providing webcam, etc. well as DDoS attacks Credential Technical Over 200 Coordinated installing and and the Information spreading other downloading of Remediation different types disruption with Theft/Disabling malicious malicious of malware public-private Security Defenses impacted. sector malware. payloads. Identity Theft / Financial Fraud Identity Theft / Identity Theft / Theft personal Financial Fraud, Financial Fraud / Financial Fraud data/Install and DDoS Attacks Privacy Invasion spread other malware Actionable Intelligence from Malware Disruptions
Microsoft Confidential
Most Common Malware Threats in CEE 1-30 September 2016
Conficker Bladabindi & Jenxcus Ramnit Dorkbot 682 897 452 515 114 062 659 991
February 2010 June 2014 February 2015 Malware using Dynamic DNS Used for cyber criminal for command. It involved activities such as credential password and identity theft, harvesting for financial fraud, webcam and other privacy DDoS attacks, and the invasions. downloading of malicious Over 200 different types of Credential Information payloads. Disrupted in malware impacted by the take cooperation with FBI and down. Theft/Disable Security Defenses international law enforcement. Identity Theft / Botnet Worm Financial Fraud / Privacy Invasion Top Countries per Threat 1-30 September 2016
Conficker
Distinct IPs/ Country:
Russia 258 426 Ukraine 76 341 Romania 57 507 Hungary 40 757 Serbia 29 635
The top 5 countries represent the 68% From CEE Conficker infections Top Countries per Threat 1-30 September 2016
Dorkbot
Distinct IPs/ Country:
Russia 341 281 Ukraine 65 426 Belarus 59 713 Kazakhstan 58 899 Romania 28 715
The top 5 countries represent the 83% From CEE Dorkbot infections Top Countries per Threat 1-30 September 2016 B106
Distinct IPs/ Country:
Russia 111 586 Kazakhstan 74 574 Romania 52 328 Poland 24 313 Serbia 21 592
The top 5 countries represent the 63% From CEE B106 infections Top CEE Countries per Threat 1-30 September 2016
Ramnit
Distinct IPs/ Country:
Romania 53 752 Azerbaijan 23 014 Poland 12 820 Russia 9 211 Mongolia 7 137
The top 5 countries represent the 93% From CEE Ramnit infections Government Security Direct access to Microsoft Program objectives product and security resources
Microsoft is Help protect Access to Transparency Centers committed to governments and their to work with source code building trust citizens with Remote access to online source governments Build trust and code and sharing transparency security Technical data, including information Strengthen public- Microsoft Azure and O365 private partnerships Information sharing about threats and vulnerabilities leveraging CTIP
Microsoft Confidential The Microsoft SECURITY PLATFORM
Advanced Threat Analytics Windows Trust Boot Azure Active Directory Advanced Threat Protection Cloud App Security Device Guard Azure Active Directory Premium Anti-Spam / Anti-Malware Intune Credential Guard Azure Security Center Message Encryption Windows Server 2016 Microsoft Passport Azure Secure Store Customer Lockbox SQL Server 2016 Windows Hello Azure Key Vault Data Loss Prevention Windows Defender ATP Windows Update for Business Enterprise Data Protection
Microsoft Confidential
Protect Your Invest in your platform Invest in your Invest in your people Environment instrumentation Maintain a well- Acquire/build the tools Establish relationships and documented inventory of needed to fully monitor communication between Best practices your assets your network, hosts, and incident response team logs and other groups Define your security policy Proactively maintain Adopt least privilege with clear controls and measures, admin principles; eliminate standards and guidance and regularly test them for persistent accuracy and effectiveness admin rights
Use proper hygiene— Maintain tight control over Use the lessons learned to most attacks can be change gain value from every prevented with timely management policies major incident patches and antivirus Employ multi-factor Monitor for abnormal Educate, empower, and authentication to account and credential enlist users to recognize strengthen protection of activity to prevent abuse likely threats and their accounts and devices role in protecting business data
Microsoft Confidential Additional Information
[email protected] • DCU Fact Sheet (http://news.microsoft.com/download/presskits/DCU/docs/dcuFS_160115.pdf) More on DCU • DCU on YouTube (https://www.youtube.com/user/DCUMicrosoft ) • DCU on Twitter (https://twitter.com/microsoftdcu)
• Avoiding Tech Support Scams (PDF) Brochure https://ncmedia.azureedge.net/ncmedia/2016/03/TechSupportScams.pdf • Microsoft on the Issues Blog (http://blogs.microsoft.com/on-the-issues/2015/09/30/microsoft-hosts- Useful Links renowned-id-theft-expert-to-kick-off-expanded-aarp-partnership-to-stop-tech- scams/#sm.00012obcpy1ccqfgyxshvwqfatq4j) • PhotoDNA Cloud Service (https://www.microsoft.com/en-us/PhotoDNA) • PhotoDNA Fact Sheet (https://ncmedia.azureedge.net/ncmedia/2016/08/PhotoDNAFactSheet1608221.pdf)
• Learn about Your and Your Family’s Online Safety Learn and Test (https://www.microsoft.com/about/philanthropies/youthspark/youthsparkhub/programs/onlinesafety/) • Install and Run Free Malicious Software Removal Tool (https://www.microsoft.com/en- us/download/malicious-software-removal-tool-details.aspx?id=16)