Much of the challenges in 2021 are due to what happened in 2020. These five major events in 2020, discussed in brief below, impacted the way we protect M365 accounts today:

Written by guest contributor Edward van Biljon,

Covid 19

In early 2020 the world started coming to terms with a virus that has since taken many peoples’ lives. The pandemic has brought governments to their knees and caused the world economy to come to a standstill.

Companies had to shift quickly to get staff working remotely. Microsoft Teams, Zoom and Google Meet all showed record adoptions. With this, the cyber criminals saw an opportunity and this brings us to the next point which is Phishing.

Phishing

It is estimated that phishing increased by over 220% during COVID and is still rising. The attacks are becoming more and more sophisticated, costing the industry billions each year. Personally, I get daily and even weekly suspicious emails regarding my “account that has been suspended” and needs to be updated

or “bank statements” that look pretty legit, or a new scam, that I purchased a “new Anti-Virus, please click to verify the PayPal details”. However, my trained eye may spot them. My anti-virus solutions may block them. And add-ons to Microsoft 365 like FileWall remove the problematic files in the emails before they can even
reach me.

Ransomware Attacks on the Rise

There has been a resurgence in Ransomware attacks. At the end of 2020, the value of bitcoin grew over the  $30,000 dollars mark. Ransomware is a money business and in order to mine bitcoin and also deliver ransomware, attackers are exploiting the operating system to bypass AV security and Windows Security. They do this to run the miners on a schedule, taking advantage of the capacity of the data centers.

Many organizations believe they have everything in place to protect themselves. However, they may be running outdated firmware on their switches or routers, and/or they never changed the default password on an appliance which is the central point of attack, and/or, most commonly, their remote desktop protocol (RDP) is exposed to the world. These get brute forced in a few hours and this leads to the attackers deploying their payload and this can result in Malware or Ransomware in the environment.. Organizations without good backups or any backups in place, will need to fork out the money to decrypt the machines.

Hack of SolarWinds

In December 2020, one of the largest cyber intrusions happened and the original cause of the incident was weakness in the supply chain. Large corporations such as Microsoft who use SolarWinds and Government agencies such as the US Treasury and departments of homeland security, state defence and commerce according to BBC. Sources mention that the parties behind the orchestrated attack were able to insert back doors into networks of these government agencies and corporations. SolarWinds is a network performance monitor that monitors network issues and allows you to detect and resolve these issues relatively quickly.

We still don’t know the extent of the damage or the amount of data stolen but it begs the question…did they plant Ransomware that will stay dormant and then strike at a later date? This is just another reason why we must keep evolving, checking code, and ensuring things are patched and up to date. We need to prevent the nightmare scenario of a zeroday attack as we will talk about below.

Zero-Day Login Exploit

What is a Zero-day exploit? It is a vulnerability that is found by attackers and exploited and the public is made aware of this attack. This means there is no patch available to stop the exploit at present. Prior to the security update released in August, customers informed Microsoft of activity they were experiencing with continued attacks on the Netlogon protocol.  (It has been fixed in the August 2020 Windows Updates)

The vulnerability (CVE-2020-1472) can be found here, demonstrating how an attacker exploits the Netlogon secure channel connection on a domain controller and can then run their code or payload against the machine.

To mitigate this risk, the latest Windows updates for August 2020 have to be installed to ensure that this vulnerability is no longer available to an attacker. If you still have systems that are running the RTM version, it means that even though the exploit was addressed in August 2020, your systems will still be vulnerable in 2021. Having tested the above in a lab and to give you a high level overview, the exploit checks for unpatched systems and then executes code that resets computer accounts of the domain controller and this breaks everything in Active Directory and applications like Exchange that rely on it.

What’s new in 2021

The MSP’s plan for 2021 includes protecting what is now remote. People are working from home and companies need to ensure that not only are they compliant but secure. Many people are now accessing Microsoft 365 accounts from devices at home and sharing information and this obviously increases the risks of attack on companies or individuals and this should be the primary focus. How do we protect the remote workers from a billion dollar industry that is stealing from people or companies daily?

That said, as the covid vaccine is rolled out globally, remote work may reduce… though I expect it will remain popular for a long time.
In addition, the MSP needs to consider these trends as well when building a plan to protect M365 accounts in 2021: