CIS Logo
tagline: Confidence in the Connected World

MS-ISAC Mid-Year Review

By: Ben Spear, Senior Cyber Intelligence Analyst

In order to provide greater insight into the state, local, tribal, and territorial (SLTT) cybersecurity landscape we’re sharing some of the insights MS-ISAC gained from the first six months of 2016.

Monitoring Analysis

In the first six months of 2016, MS-ISAC monitored devices generated in excess of 2.76 trillion records for analysis, which resulted in over 20,000 actionable alerts to members. A large portion of these alerts were related to malware infections, with the top culprits being ransomware and click fraud malware associated with the Angler Exploit Kit (EK). As depicted in the chart below, June’s average weekly number of notifications fell to nearly half the activity observed at the start of the year and one-third of the peak activity observed in late March. The blue dashed line shows the overall downward trend in actionable malicious activity.

Angler EK had a significant impact on SLTTs as it distributed malware such as Cryptowall, Bedep, Teslacrypt, and Kovter, accounting for nearly one quarter of all actionable events in the first six months of 2016. The chart above highlights the impact of the publicly-reported Angler EK malvertising campaigns in late January and late March, as well as Angler’s demise, which open source reporting loosely linked to the May arrest of 50 individuals associated with the Lurk malware. The strength of Angler came from its reliance on new Adobe Flash exploits, as well as its use of malvertising which does not require user interaction. In the first quarter of 2016, Angler’s malvertising campaigns compromised several major websites, including Yahoo!, The New York Times, and The Washington Post, significantly increasing the number of potential victims.

MS-ISAC also observed significant growth in ransomware, highlighted in a blog post blog post in June. While this activity declined at the end of the period due to the abandonment and release of decryption keys for Teslacrypt and a reduced number of Cryptowall infections, MS-ISAC observed a growing diversification of ransomware variants, such as Cerber, Locky, and CryptXXX.

Compromised Credential Notifications

From January to June 2016, MS-ISAC notified on an increasing number of open source data dumps containing potentially compromised credential notifications (see chart below). These credentials are not typically stolen from SLTT governments, but represent the vulnerability introduced by employees using enterprise accounts to sign up for external services. While security best practice dictates that end users use a different password for each account, it is an accepted fact that many probably do not. These notifications allow MS-ISAC members to reset user accounts in their control to prevent a potential compromise of their networks by malicious actors testing the compromised credentials against systems which may use the same password. For more information on creating strong, unique passwords see our March 2016 newsletter.

 Vulnerability Management Program

MS-ISAC’s Vulnerability Management Program (VMP) continues to be a success, identifying high severity vulnerabilities in SLTT servers and content management systems for which a patch is available. Of the nearly 25,000 domains MS-ISAC profiles on a weekly basis, we have seen an overall improvement in patched systems. In January, nearly 14% of scanned domains were potentially vulnerable, while in June only 3% of scanned domains were potentially vulnerable. These numbers are subject to large swings based on the release of new patches immediately prior to the test and the rate of individual members’ patch management cycles, however the proportion of patched systems has clearly improved over the first six months of 2016.

Website Defacement Activity

Website defacements in the first six months of 2016 are at the lowest level in this period since 2012. This reduced activity began in July 2015 and has continued through this year. MS-ISAC has yet to identify the cause of this significant decline in activity, as several of the most prominent actors continue to engage in defacement activity more broadly. Part of the reduction in defacements comes from actors who only deface a single SLTT government, potentially signaling that due to the primarily opportunistic nature of web defacements, SLTTs just haven’t been on the bad end of a dice roll as much recently. Regardless of the reason for the decline, as depicted in the chart below, universities remain the SLTT entities most likely to experience a web defacement. This is likely due to the distributed hierarchy among various departments, allowing the development of individual websites not subject to uniform security practices, leading to a multitude of websites that do not get patched and quickly become out-of-date and vulnerable.


The first half of 2016 proved interesting for MS-ISAC and our SLTT government members as we approached record highs in monitoring alerts early on, but ended the period near record lows. As has been the case with several open source reports, ransomware and click fraud were among the most common malware observed. In terms of notifications based on open source reporting, compromised credentials grew, while defacements remained at the low levels first observed in July 2015. Results from the MS-ISAC VMP highlight that patching among our members is improving following the implementation of this new program in mid-2015. Looking forward, MS-ISAC does not foresee the current downturn in malicious activity continuing long-term, but we expect it will take some time before malicious cyber actors fully regroup and begin generating the same level of activity following the loss of the large and effective Angler infrastructure.