It may be quite a while before we fully understand the impact the pandemic years have had on the global information security (InfoSec) landscape. More has happened in this time than many security professionals saw in their entire careers before 2020. The fact is that the challenges we’re facing are bigger than ever.
The “Great Resignation” as well as plain-old burnout may make the task seem more daunting just as the security world needs to attract and retain top talent. Those who haven’t already succumbed are overwhelmed by more alerts than ever. They’re spending too much time on repetitive, manual tasks, which can’t possibly be helping their morale. What’s more, they lack insights into the data they need to understand the greatest threats to your security.
But there is hope. Most security operations platforms have failed to fundamentally address security as a data problem. That is actually where the opportunity lies for security professionals.
The ability to field a resilient cybersecurity response is directly related to the quantity and quality of data collected, analyzed, and implemented in the battle to reduce business risk.
Realizing that the future is uncertain, organizations are investing with resilience in mind, to withstand the latest threats to the business and spring back stronger. In this context, resilience means flexible. Fast. Prepared. Proactive. Resilient organizations have a strong data and technology foundation, allowing them to engage rapidly with whatever comes their way.
Resilient security teams deliver cybersecurity solutions to protect every aspect of the business, unlock innovation and empower the organization.
Resilient teams address challenges with data at the center of everything they do. And it shows in the results. Data-centric security operations can reduce the risk of data breach, IP theft and fraud by as much as 70%.
List of Top 50 Cybersecurity Threats
This is where it helps to know what threats to look out for and where this book can help. Based on the research of the Splunk Threat Research Team, we present 50 of the biggest cybersecurity threats plus a few more to help security professionals make us all feel more secure.
What is Account Takeover?
Account takeover is considered one of the more harmful ways to access a user’s account. The attacker typically poses as a genuine customer, user or employee, eventually gaining entry to the accounts of the individual they’re impersonating. Scarier yet, user credentials can be sourced from the deep web and matched against e-commerce sites with the help of bots and other automated tools for quick and easy entry.
FitBit even fell victim to this type of attack when hackers exposed log-in details to customers’ FitBit accounts, changing the email they registered with and then called up customer support with a complaint about the device so that they could get a replacement under their warranty.
What you need to know:
Rather than stealing the card or credentials outright, account takeover is more surreptitious, allowing the attacker to get as much use out of the stolen card as possible before being flagged for suspicious activity. Banks, major marketplaces and financial services like PayPal are common targets, and any website that requires a login is susceptible to this attack.
How the attack happens:
Some of the most common methods include proxy-based “checker” one-click apps, brute force botnet attacks, phishing and malware. Other methods include dumpster diving to find personal information in discarded mail, and outright buying lists of “Fullz,” a slang term for full packages of identifying information sold on the black market. Once the profile of the victim is purchased or built, an identity thief can use the information to defeat a knowledge-based authentication system.
Where the attack comes from:
An enormous volume of our transactions financial and otherwise take place online. For cybercriminals, acquiring account credentials and personal information (like social security numbers, home addresses, phone numbers, credit card numbers and other financial information) is a lucrative business, whether they choose to sell the acquired information or use it for their own gain. As such, these kinds of attacks can originate anywhere in the world.
What is Advanced Persistent Threat?
In one of the most notable data breaches in U.S. history, the attack on the U.S. Office of Personnel Management (OPM). security experts found that state-sponsored attackers used an advanced persistent threat sponsored by the Chinese government.
The attack on OPM compromised over 4 million records, including information on current, former and prospective federal government employees, as well as their family members, foreign contacts and even psychological information.
What you need to know:
An advanced persistent threat (APT) is a highly advanced, covert threat on a computer system or network where an unauthorized user manages to break in, avoid detection and obtain information for business or political motives. Typically carried out by criminals or nation-states, the main objective is financial gain or political espionage. While APTs continue to be associated with nation- state actors who want to steal government or industry secrets, cyber criminals with no particular affiliation also use APTs to steal data or intellectual property.
How the attack happens:
An APT usually consists of highly advanced tactics, including a fair amount of intelligence- gathering, to less sophisticated methods to get a foothold in the system (e.g., malware and spear phishing). Various methodologies are used to compromise the target and to maintain access.
The most common plan of attack is to escalate from a single computer to an entire network by reading an authentication database, learning which accounts have the appropriate permissions and then leveraging them to compromise assets. APT hackers will also install backdoor programs (like Trojans) on compromised computers within the exploited environment. They do this to make sure they can gain re-entry, even if the credentials are changed later.
Where the attack comes from:
Most APT groups are affiliated with, or are agents of, governments of sovereign states. An APT could also be a professional hacker working full-time for the above. These state- sponsored hacking organizations usually have the resources and ability to closely research their target and determine the best point of entry.
What Is Amazon Web Services (AWS) Attacks?
The number of creative attacks on virtual environments has exploded with the rise of cloud computing. And as one of the largest cloud-service providers, Amazon Web Services has certainly had its share of threats.
There are several vulnerabilities that threaten the security of cloud providers. One digital marketing company, for example, didn’t password protect its Amazon S3 bucket when it went out of business. The lapse exposed the data of 306,000 people.
The full leak exposed 50,000 files, totaling 32GB of full names, locations, email addresses, phone numbers and hashed out passwords, from clients such as Patrón Tequila.
What you need to know:
Amazon’s “shared responsibility” model says AWS is responsible for the environment outside of the virtual machine but the customer is responsible for the security inside of the S3 container.
This means threats that take advantage of vulnerabilities created by misconfigurations and deployment errors have become a bigger problem as companies have adopted cloud technologies rapidly and the organization using AWS is responsible for securing their environment. The problem is there are more threats that AWS customers have to worry about.
How the attack happens:
An attack on an AWS instance can happen in a number of ways. The accelerated shift to the cloud brought on by the global COVID-19 pandemic increased the number of threats for cloud providers.
It’s important to stay vigilant for activities that may be as simple as suspicious behavior inside of an AWS environment. Other activities to look out for are S3 access from unfamiliar locations and by unfamiliar users.
It’s also important to monitor and control who has access to an organization’s AWS infrastructure. Detecting suspicious logins to AWS infrastructure provides a good starting point for investigations. Actions, such as abusive behaviors caused by compromised credentials, can lead to direct monetary costs because users are billed for any EC2 instances created by the attacker.
Where the attack comes from:
Because of the diversity of services being hosted on AWS and the new types of cloud threats being spun up daily, these attacks can virtually come from anywhere and anyone.
What is Application Access Token?
Pawn Storm, an active and aggressive espionage group, uses different strategies to gain information from their targets. One method in particular was to abuse Open Authentication (OAuth) in advanced social engineering schemes, targeting high profile users of free webmail.
The group also set up aggressive credential phishing attacks against the Democratic National Convention (DNC), the Christian Democratic Union of Germany (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera and many other organizations.
They continue to use several malicious applications that abuse OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.
What you need to know:
With an OAuth access token, a hacker can use the user-granted REST API to perform functions such as email searching and contact enumeration. With a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a “refresh” token enabling background access is awarded.
How the attack happens:
Attackers may use application access tokens to bypass the typical authentication process and access restricted accounts, information or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.
Where the attack comes from:
Compromised access tokens may be used as an initial step to compromising other services. For example, if a token grants access to a victim’s primary email, the attacker may be able to extend access to all other services that the target subscribes to by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to countermeasures like changing passwords.
What is Bill Fraud?
Zelle is a financial service that allows customers to easily send money to friends and family. Yet the very same features that make Zelle so quick and efficient for transferring funds are also being exploited by cyberthieves for monetary gain.
Hackers and scammers use the system to pilfer funds away from consumers in payment fraud schemes, sometimes wiping out entire bank accounts.
What you need to know:
Bill fraud or payment fraud is any type of bogus or illegal transaction where the cybercriminal will divert funds away from consumers. And these schemes work according to recent data from the FTC, consumers reported they have lost over $1 billion in fraud complaints from January 2021 through March 2022.
How the attack happens:
This attack tricks a large number of users into repeatedly paying small or reasonable amounts of money so they don’t notice the scam. In this ploy, attackers send fraudulent but authentic- looking bills instructing customers to transfer funds from their accounts.
Knowing that most customers regularly use fee-based digital services, the attackers rely on the fact that their targets may mistakenly assume the fraudulent bill is for a service they actually use. Consumers will then initiate a funds transfer or credit card payment to pay for the phony “bill.”
Where the attack comes from:
Bill fraud organizations originate all over the world, including the U.S. It’s typically sourced to attackers with the resources, bandwidth and technology to create fraudulent bills that look real. Like phishing, bill fraud generally targets a broad, random population of individuals.
What is Brute Force Attack?
In a now-infamous brute force attack, over 90,000 PlayStation and Sony Online Entertainment accounts were compromised in 2011. Hackers attempted countless username and password combinations from an unidentified third party, eventually ransacking members’ accounts for personal information.
The now-discontinued Club Nintendo also fell victim to the same type of attack in 2013, when hackers executed a coordinated attack on over 15 million members, eventually breaking into over 25,000 forum members’ accounts. All compromised accounts were suspended until access had been restored to the rightful owners but the damage to brand reputation had already been done.
What you need to know:
A brute force attack aims to take personal information, specifically usernames and passwords, by using a trial-and-error approach. This is one of the simplest ways to gain access to an application, server or password- protected account, since the attacker is simply trying combinations of usernames and passwords until they eventually get in (if they ever do; a six-character password has billions of potential combinations).
How the attack happens:
The most basic brute force attack is a dictionary attack, where the attacker systematically works through a dictionary or wordlist trying each and every entry until they get a hit. They’ll even augment words with symbols and numerals, or use special dictionaries with leaked and/or commonly used passwords. And if time or patience isn’t on their side, automated tools for operating dictionary attacks can make this task much faster and less cumbersome.
Where the attack comes from:
Thanks to the ease and simplicity of a brute force attack, hackers and cyber criminals with little-to-no technical experience can try to gain access to someone’s account. The people behind these campaigns either have enough time or computational power on their side to make it happen.
What is Business Invoice Fraud?
Even the largest technology firms aren’t immune to invoice fraud. According to an investigation by Fortune Magazine, both Facebook and Google unwittingly fell victim to a massive business invoice fraud scheme. The fraudster, a Lithuanian man known as Evaldas Rimasauskas, created invoices impersonating a large Asian-based manufacturer that frequently did business with the two companies to trick them into paying for bogus computer supplies. Over two years, the fraudster duped the two tech giants into spending tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had allegedly stolen more than $100 million.
What you need to know:
Business invoice fraud attempts to trick victims into paying out on a fraudulent (but convincing) bill addressed to your organization. In reality, the funds go to imposters mimicking suppliers.
These hackers will often bill a reasonable amount so they don’t draw suspicion. But executing these scams hundreds or thousands of times quickly adds up.
How the attack happens:
In this attack, victims are sent fake invoices attempting to steal money in the hopes that marks aren’t paying attention to their accounts payable processes. Hackers will pick targets based on the size of their business, location and the suppliers used and create phony invoices that appear legitimate. With the hopes that the victim’s accounts payable department is backlogged, they send false invoices with high demands like “90 days past due, pay now!”
Where the attack comes from:
While there are numerous individual scammers pulling off business invoice fraud, many are sourced to fraud rings that have the organization and the resources to research their victim’s banking institution and create a billing experience that feels real. Fraud rings conducting invoice scams can be found all over the world.
What Is Cloud Access Management?
Moving to the cloud has countless advantages, from fostering collaboration to allowing employees to work from almost anywhere in the world. The importance of this flexibility was on display when the global COVID-19 pandemic hit. But switching to a cloud-based service can carry a fair amount of risk oftentimes due to human error.
Wyze Labs, a company that specializes in low-cost smart home products, experienced this first hand. An almost-prolific breach occurred at the startup when an employee built a database for user analytics, only to accidentally remove the necessary security protocols. As a result, a database-worth of customers’ personal information was exposed.
What you need to know:
Managing permissions for your organization has become increasingly important in order to avoid a cloud-based breach. Lax or nonexistent security and in this case, incorrectly configured security controls can easily jeopardize the security of your data, exposing your organization to an unnecessary amount of risk, including significant damage to brand reputation.
How the attack happens:
This attack usually happens because of poor communication, lack of protocol, insecure default configuration and poor documentation. Once the attacker exploits the vulnerability and gains a foothold in your cloud environment, they can leverage privileges to access other remote entry points, looking for insecure applications and databases, or weak network controls. They can then exfiltrate data while remaining undetected.
Where the attack comes from:
Mismanagement and misconfiguration of a cloud environment isn’t considered a malicious act in and of itself, and as mentioned, typically occurs due to human error.
What is Cloud Cryptomining?
Cloud cryptomining doesn’t need gas to go. Look no further than Tesla for evidence. The electric carmaker fell victim to a cloud cryptomining attack when hackers took advantage of an insecure Kubernetes console, stealing computer processing power from Tesla’s cloud environment to mine for cryptocurrencies.
What you need to know:
Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed to ensure that the number of blocks mined each day would remain steady. So it’s par for the course that ambitious, yet unscrupulous, miners make amassing the computing power of large enterprises a practice known as cryptojacking a top priority.
How the attack happens:
Cryptomining has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services, Google Cloud Platform (GCP) and Microsoft Azure.
It’s difficult to determine exactly how widespread the practice has become, since hackers continually evolve their ability to evade detection, including employing unlisted endpoints, moderating their CPU usage and hiding the mining pool’s IP address behind a free content delivery network (CDN).
When miners steal a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it’s critical to monitor systems for suspicious activities that could indicate that a network has been infiltrated.
Where the attack comes from:
Because cryptocurrency is a global commodity, the attacks can originate from anywhere.
Instead of focusing on where the attacks come from, it’s key to monitor cloud computing instances for activities related to cryptojacking and cryptomining, such as new cloud instances that originate from previously unseen regions, users who launch an abnormally high number of instances, or compute instances started by previously unseen users.
What Is Command and Control?
The first known take down of a country’s power grid from a cyberattack happened on December 23, 2015. The details of the hack are summarized in detail by Wired. At about 3:30 pm local time, a worker inside the Prykarpattyaoblenergo control center saw his mouse’s cursor move across the screen.
The ghostly cursor floated toward the digital controls of the circuit breakers at a substation, and began taking them offline. Almost 30 substations subsequently went down, and 230,000 residents were forced to spend a cold evening in the dark in Western Ukraine, with a blistering low of 30 degrees Fahrenheit.
What you need to know:
A command and control attack is when a hacker takes over a computer in order to send commands or malware to other systems on the network. In some cases, the attacker performs reconnaissance activities, moving laterally across the network to gather sensitive data.
In other attacks, hackers may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These attacks are also often referred to as C2 or C&C attacks.
How the attack happens:
Most hackers get a foothold in a system by phishing emails then installing malware.
This establishes a command and control channel that’s used to proxy data between the compromised endpoint and the attacker. These channels relay commands to the compromised endpoint and the output of those commands back to the attacker.
Where the attack comes from:
There have been prominent command and control attacks originating from Russia, Iran and even the U.S. These attackers can come from anywhere and everywhere but they don’t want you to know that.
Since communication is critical, hackers use techniques designed to hide the true nature of their correspondence. They’ll often try to log their activities for as long as possible without being detected, relying on a variety of techniques to communicate over these channels while maintaining a low profile.
What is Compromised Credentials?
In 2020, Marriott International suffered a massive data breach as a result of a compromised credentials attack.
This breach compromised the accounts of 5.2 million Marriott customers, exposing their contact information, gender, date of birth and loyalty account information. The attacker used the login credentials of two Marriott employees, presumably obtained through a mix of phishing and credential stuffing, to collect Marriott customers’ information for an entire month before raising suspicion.
What you need to know:
Most people still use single-factor authentication to identify themselves (a pretty big no-no in the cybersecurity space). And while stricter password requirements are starting to be enforced (like character length, a combination of symbols and numbers, and renewal intervals), end users still repeat credentials across accounts, platforms and applications, failing to update them periodically.
This type of approach makes it easier for adversaries to access a user’s account, and a number of today’s breaches are thanks to these credential harvesting campaigns.
How the attack happens:
A password, key or other identifier that’s been discovered can be used by a threat actor to gain unauthorized access to information and resources, and can range from a single account to an entire database.
By leveraging a trusted account within a targeted organization, a threat actor can operate undetected and exfiltrate sensitive data sets without raising any red flags.
Common methods for harvesting credentials include the use of password sniffers, phishing campaigns or malware attacks.
Where the attack comes from:
Compromised credentials represent a huge attack vector, giving threat actors a way into computing devices, password-protected accounts and an organization’s network infrastructure with relative ease. These perpetrators are often organized, with their sights set on a specific organization or person. And they’re not always outside of the organization they could very well be an insider threat who has some level of legitimate access to the company’s systems and data.
What Is Credential Dumping?
Disney+ signed up 10 million users and its stock hit a record high shortly after the launch of the streaming service. But that shine quickly faded when many of those eager subscribers began complaining about being locked out of their accounts.
Within days of the launch, Disney+ credentials were up for grabs for as little as three dollars.
Disney said the site wasn’t actually breached allegedly, users who found their credentials online likely fell victim to a common (but notoriously bad) practice: using the same password across multiple sites that were later hit by a credential dumping attack.
What you need to know:
Credential dumping simply refers to an attack that relies on gathering credentials from a targeted system. Even though the credentials may not be in plain text they’re often hashed or encrypted an attacker can still extract the data and crack it offline on their own systems. This is why the attack is referred to as “dumping.”
Often, hackers will try to steal passwords from systems they have already compromised. The problem becomes amplified when users replicate the same password across multiple accounts through multiple systems.
How the attack happens:
Credentials obtained this way usually include those of privileged users, which may provide access to more sensitive information and system operations. Hackers often target a variety of sources to extract the credentials, including accounts like the security accounts manager (SAM), local security authority (LSA), NTDS from domain controllers or the group policy preference (GPP) files.
Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest.
Where the attack comes from:
Credential dumping can originate from anywhere. And because we’re all guilty of recycling passwords, that information can be sold for future attacks.
What iIs Credential Reuse Attack?
One of the more notable credential reuse attacks is the 2019 Dunkin’ Donuts breach which, unluckily for the East Coast chain, happened to be their second hack in two months. This time around, the threat actors went so far as to sell thousands of accounts on the dark web.
This included users’ credentials including their usernames and passwords to the highest bidder, who could then try them across other consumer websites until they got a hit.
What you need to know:
Credential reuse is a pervasive issue across any company or userbase. Nowadays, most users have tens (if not hundreds) of accounts, and are tasked with remembering countless passwords that meet all sorts of stringent requirements. As a result, they’ll resort to reusing the same password over and over again, in the hopes of better managing and remembering their credentials across accounts. Unsurprisingly, this can cause major security issues when said credentials are compromised.
How the attack happens:
In theory, the attack itself is simple, straightforward and surprisingly stealthy (if two-factor authentication isn’t activated). Once a user’s credentials are stolen, the culprit can try the same username and password on other consumer or banking websites until they get a match hence the “reuse” in “credential reuse attack.”
However, gaining entry in the first place is a little more complicated. To get privileged information, attackers usually kick things off with a phishing attempt, using emails and websites that look close-to-legitimate to dupe the user into handing over their credentials.
Where the attack comes from:
This could be a targeted attack, where the person knows the victim and wants access to their accounts for personal, professional or financial reasons. The attack could also originate from a complete stranger who bought the user’s personal information on the cybercrime underground.
What Is Credential Stuffing?
Fort Lauderdale-based Citrix Systems found itself neck deep investigating a major network breach in 2019 that had occurred the previous year, resulting in stolen business documents by hackers. The FBI believed the breach was sourced for “password spraying,” otherwise known as credential stuffing an attempt by hackers to remotely access a large number of accounts at once. According to a form 10-K filing to the U.S. Securities and Exchange Commission, Citrix believed the hackers tried to infiltrate company systems to access content collaboration customer accounts.
What you need to know:
With credential stuffing, cybercriminals will use stolen account credentials often usernames and passwords procured from a data breach to access additional accounts by automating thousands or millions of login requests directed against a web application. They want to access sensitive accounts the easy way by simply logging in. It works because they rely on people reusing the same usernames and passwords across multiple services. If they’re successful, one credential can unlock accounts that house financial and proprietary information, giving them the keys to almost everything.
How the attack happens:
Hackers only need access to login credentials, an automated tool and proxies to carry out a credential stuffing attack. Attackers will take a cache of usernames and passwords, gleaned from massive corporate breaches, and by using automated tools, essentially “stuff” those credentials into the logins of other sites.
Where the attack comes from:
Proxies mask the location of credential stuffing attackers, making it challenging to detect their location. But they can be found all over the world, especially in organized cybercrime hotspots. Often, attackers will be individual and organized hackers with access to dedicated account-checking tools and numerous proxies that prevent their IP addresses from being blocked.
Less-sophisticated perpetrators may end up giving themselves away by attempting to infiltrate a large number of accounts via bots, which results in an unexpected denial-of-service-attack (DDoS) scenario
What Is Cross-Site Scripting?
In January of 2019, an XSS vulnerability was discovered in the Steam Chat client operated by Valve, a computer gaming company with more than 90 million active users, any number of whom could have been attacked until the bug was disclosed.
Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. It’s conceptually like an SQL injection where malicious code is entered into a form to gain access to the site’s database except that in the case of XSS, the malicious code is designed to execute within the browser of another visitor to the site, allowing the attacker to steal user cookies, read session IDs, alter the contents of a website or redirect a user to a malicious site.
What you need to know:
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application generates input from a user without validating or encoding it.
The end user’s browser has no way to know that the script should not be trusted, automatically executing on the script. Because it thinks the script came from a trusted source, it can access cookies, session tokens or other sensitive information retained by the browser. These scripts can even rewrite the content of the HTML page.
How the attack happens:
There are two types of XSS attacks: stored and reflected. Stored XSS attacks occur when an injected script is stored on the server in a fixed location, like a forum post or comment. Every user that lands on the infected page will be affected by the XSS attack. In reflected XSS, the injected script is served to a user as a response to a request, like a search results page.
Where the attack comes from:
While XSS attacks are not as common as they once were due primarily to improvements in browsers and security technology they’re still prevalent enough to rank within the top ten threats listed by the Open Web Application Security Project, and the Common Vulnerabilities and Exposures database lists nearly 14,000 vulnerabilities associated with XSS attacks.
What Is Cryptojacking Attack?
Cyber hackers compromised numerous Australian government websites with malware that forced visitors’ computers to secretly mine cryptocurrency without their permission. The cryptojacking attack was initiated when hackers exploited a vulnerability in a popular browser plugin as part of a larger global security breach. The attack affected the official website of the Victorian parliament, the Queensland Civil and Administrative Tribunal, and the Queensland Community Legal Centre homepage, among others, as well as the UK’s National Health Service and the UK’s own data protection watchdog site.
What you need to know:
Cryptojacking is an attack where a hacker targets and hijacks computer systems with malware that hides on a device and then exploits its processing power to mine for cryptocurrency such as Bitcoin or Ethereum all at the victim’s expense.
The hacker’s mission is to create valuable cryptocurrency with someone else’s computing resources.
How the attack happens:
One common way cryptojacking attacks happen is by sending a malicious link in a phishing email, enticing users to download cryptomining code directly onto their computer. Another way is by embedding a piece of JavaScript code into a webpage that the user visits known as a drive-by attack. Upon visiting the page, malicious code intended to mine cryptocurrency will automatically download on the machine. The cryptomining code then works silently in the background without the user’s knowledge and a slower than usual computer might be the only indication that something is wrong.
Where the attack comes from:
These attacks come from all over the world because cryptojacking doesn’t require significant technical skills. Cryptojacking kits are available on the deep web for as little as $30. It’s a low bar of entry for hackers that want to make a quick buck for relatively little risk. In one attack, a European bank experienced some unusual traffic patterns on its servers, slower than average night processes, and unexplained online servers all attributed to a rogue staffer who installed a cryptomining system.
What Is Data From Information Repositories?
The threat group APT28 reportedly compromised Hillary Clinton’s campaign, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) during Clinton’s presidential run against Donald Trump. The group has also targeted Eastern European governments, military and security-related organizations, including the North Atlantic Treaty Organization (NATO).
The group uses a complex set of tools and strategies, surreptitiously accessing information repositories to control and steal data. APT28 has collected information from Microsoft SharePoint services within target networks.
What you need to know:
Information repositories are tools that allow for the storage of information tools like Microsoft SharePoint and Atlassian Confluence. Information repositories typically facilitate collaboration or information sharing between users and they store a wide variety of data that may tempt attackers. Hackers may leverage information repositories to access and mine valuable information.
How the attack happens:
Information repositories often have a large user base, and detecting breaches can be difficult. Attackers may collect information from shared storage repositories hosted on cloud infrastructure or in software- as-a-service (SaaS) applications.
Where the attack comes from:
Attackers like APT28 target government agencies, hotel booking websites, telecoms and IT companies. At a minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, enterprise or schema administrators) should be closely monitored and alerted upon, because these types of accounts should not generally be used to access information repositories. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
What Is DDoS Attack?
To date one of the biggest if not the most significant distributed denial-of-service (DDoS) attacks happened in 2018 against popular online code management system GitHub. GitHub was hit by an onslaught of traffic, which at its peak came in at a rate of 1.3 terabytes per second, sending packets at a rate of 126.9 million per second. The attack wasn’t just massive, it was record-breaking. In this attack, the botmasters flooded memcached servers with spoofed requests, which gave them the ability to amplify their attack by 50,000x. The good news? GitHub wasn’t caught entirely unprepared. Administrators were alerted to the attack and it was shut down within 20 minutes.
What you need to know:
A DDoS attack is an attempt by hackers, hacktivists or cyber spies to take down websites, slow down and crash the target servers and make online service unavailable by flooding them with traffic from multiple sources. As their name suggests, DDoS attacks are widely distributed brute-force attempts to wreak havoc and cause destruction. These attacks often tend to target popular or high-profile sites, such as banks, news and government websites, to thwart or deter target organizations from publishing important information or to weaken them financially.
How the attack happens:
The malicious actors behind DDoS attacks aim to wreak havoc on their targets, sabotage web properties, damage brand reputation and prompt financial losses by preventing users from accessing a website or network resource. DDoS leverages hundreds or thousands of infected “bot” computers located all over the world. Known as botnets, these armies of compromised computers will execute the attack at the same time for full effectiveness.
The hacker or group of hackers that control these infected computers then become botmasters, who infect vulnerable systems with malware, often Trojan viruses. When enough devices are infected, the botmaster gives them the command to attack and the target servers and networks are bombarded with requests for service, which in turn effectively chokes them and shuts them down.
Where the attack comes from:
As their name implies, DDoS attacks are distributed, meaning that the incoming flood of traffic targeting the victim’s network originates from numerous sources. Thus, the hackers behind these attacks can literally be from anywhere in the world. What’s more, their distributed nature makes it impossible to stop these attacks simply by securing or blocking a single source.
What Is Disabling Security Tools?
Sometimes hackers use the very tools meant to protect organizations to gain access to their systems. Microsoft Windows became the world’s desktop operating system of choice when it was first released in 1985. And while its market share has gotten smaller in recent years, it still remains a dominant force compared to its distant runner up, Apple OSX. The mass adoption of Windows, and the fact that it’s easier to fall victim to attacks, such as malware and bots, has made it a favorite playground for hackers.
That’s partly why Microsoft began installing a native anti-spyware and antivirus program, called Windows Defender, with the release of Windows Vista. Unfortunately Microsoft didn’t consider that hackers would attack the very thing supposed to protect Windows users.
Novter, also known as Nodersok or Divergent, was a Trojan attack that took down Windows Defender’s real-time protection features. Once disabled, the Trojan would download additional malware to the system.
What you need to know:
Hackers use a variety of techniques to avoid detection and operate without barriers. This often involves modifying the configuration of security tools, such as firewalls, to get around them or explicitly disabling them to prevent them from running at all.
How the attack happens:
The fingerprints of this attack revolve around hackers trying to disable various security mechanisms. They may attempt to gain access to registry files, where much of the configuration for Windows and various other programs live. The hackers may also attempt to shut down security-related services.
Other times, attackers attempt various tricks to prevent specific programs from running, such as adding certificates that assign security tools to a blacklist, preventing those protection tools from running altogether.
Where the attack comes from:
An attack centered around disabling security tools can originate anywhere because these types of attacks can target an almost endless list of tools. The Nodersok attack, for example, mostly attacked PC users in the U.S. and the U.K. (81%).
What is DNS Amplification?
In February 2022, hackers launched massive, amplified distributed denial-of-service (DDoS) attacks through Mitel, a global business communications company. The attack pummeled financial institutions, broadband ISPs, logistics and gaming companies, and other organizations. Able to sustain DDoS attacks for up to 14 hours, with a record-breaking amplification factor of almost 4.3 billion to one, attacks like this are capable of shutting down voice communications and other services for entire organizations with a single malicious network packet.
What you need to know:
Though DNS amplification, a type of DDoS attack, has been around for a long time, the exploitation techniques keep evolving. The attack is similar to DNS hijacking in the sense that it takes advantage of the internet’s directory by misconfiguring it. But the way the attacks occur are slightly different.
A DNS amplification attack typically involves sending a small amount of information to a vulnerable network service that causes it to reply with a much larger amount of data. By directing that response at a victim, an attacker can put in a relatively low amount of effort while making other people’s machines do all the work of flooding a selected target offline.
How the attack happens:
In a DNS amplification attack, the attacker floods a website with so many fake DNS lookup requests that it eats up the network bandwidth until the site fails. Where DNS hacking might direct traffic to another site, a DNS amplification attack prevents the site from loading.
The difference between the two attacks is further illustrated by the word “amplification.” In this attack, hackers make the DNS requests in a way that requires a more intensive response. For example, a hacker might request more than just the domain name. The attacker might also ask for the entire domain, known as an “ANY record,” which requests the domain along with the subdomain, mail servers, backup servers, aliases and more.
Now imagine several of these “ANY” requests coming in at once. The amplified traffic is enough to take the site offline.
Where the attack comes from:
Similar to a DNS hijacking attack, the relatively primitive nature of the attack means it can originate from anywhere in the world, be it nation-state hackers or a lone wolf.
What Is DNS Hijacking?
On a Thursday morning in 2017, WikiLeaks readers woke up expecting to find the latest state secret released on the whistleblowing website, only to discover a message from a hacker collective called OurMine announcing that they were in control of the domain.
Wikileaks founder Julian Assange quickly took to Twitter to clarify that the takedown was not a traditional hack, but instead a domain name system (DNS) attack.
What you need to know:
DNS is often called the Achilles heel of the internet, or the internet’s phonebook, because it plays a critical role in routing web traffic. The DNS is the protocol used to map domain names to IP addresses. It has been proven to work well for its intended function. But DNS is notoriously vulnerable to attack, attributed in part to its distributed nature. DNS relies on unstructured connections between millions of clients and servers over inherently insecure protocols.
The gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails and login credentials as well.
The U.S. Department of Homeland Security 2019’s Cybersecurity and Infrastructure Security Agency (CISA) raised concerns about high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad.
How the attack happens:
The attack works when hackers exploit the way DNS communicates with an internet browser.
The system acts as a phone book, translating a domain like NYTimes.com into an IP address. The DNS then looks up and finds which global server is hosting that site and then directs traffic to it. The attack happens when a hacker is able to disrupt the DNS lookup and then either push the site offline or
redirect traffic to a site that the hacker controls.
Where the attack comes from:
There is no one singular profile of a DNS hijacker, largely because the attack can occur as easily as a social engineering attack in which someone calls a domain provider and tricks them into changing a DNS entry.
Some of the more prominent DNS hijacking attacks have been attributed to hacking collectives such as OurMine in the Wikileaks case or the Syrian Electronic Army in takedowns of The New York Times and The Washington Post.
What Is DNS Tunneling?
A hacker group known as OilRig has made regular attacks on various governments and businesses in the Middle East using a variety of tools and methods over the past several years.
An essential element of its efforts to disrupt daily operations and exfiltrate data is maintaining a connection between its command-and-control server and the system it’s attacking using DNS tunneling.
What you need to know:
The traffic passing through DNS often goes unmonitored, since it’s not designed for data transfer, leaving it vulnerable to several kinds of attacks, including DNS tunneling, which happens when an attacker encodes malicious data into a DNS query: a complex string of characters at the front of a URL.
There are valid uses for DNS tunneling anti-virus software providers use it to send updated malware profiles to customers in the background, for example. Because of the possibility of legitimate use, it’s important for organizations to monitor their DNS traffic thoroughly, allowing only trustworthy traffic to continue flowing through the network.
How the attack happens:
With DNS tunneling, an attacker can bypass security systems (tunneling under or around them, so to speak) by redirecting traffic to their own server, setting up a connection to an organization’s network. Once that connection is active, command and control, data exfiltration and a number of other attacks are possible.
Where the attack comes from:
While there are DNS tunneling tools readily available for download, attackers wishing to do more than bypass a hotel or airline’s paywall for internet access require more sophisticated knowledge. In addition, because DNS was designed only to resolve web addresses,
it’s a very slow system for data transfer.
What Is DoS Attack?
Almost two decades ago, a 16-year-old hacker known as Mafiaboy launched one of the most famous denial-of-service (DoS) attacks that took several major sites offline, including CNN, eBay, Amazon and Yahoo. According to reports, Mafiaboy broke into dozens of networks to install malware designed to flood targets with attack traffic. Because many sites were underprepared for such an assault, the attack lasted about a week as the targeted organizations struggled to figure out what happened and how to get back online. Mafiaboy was eventually arrested and sentenced to juvenile detention.
Twenty years later, DoS attacks (many of which are DDoS) continue to be on the rise and are some of the most common attacks faced by organizations, targeting around a third of all businesses.
What you need to know:
A DoS attack is where cyberattackers make a machine or network inaccessible for its intended users. DoS attacks can be executed by either flooding networks with traffic or by sending information that triggers a system slowdown or complete crash. As with DDoS attacks, DoS attacks tend to focus on high- profile organizations or ones with popular, public-facing websites such as banking, ecommerce, media or government institutions.
DoS attacks deprive legitimate users of the service they want to access and cause extensive damage to the victim, due to security and cleanup costs, loss of reputation, loss of revenue and customer attrition.
How the attack happens:
DoS attacks occur in one of two ways: by flooding or crashing a targeted network. In flood attacks, cybercriminals bombard victim computers with more traffic than they can handle, causing them to slow or shut down altogether. Various flood attacks include buffer overflow attacks, ICMP flood and SYN flood attacks.
Other DoS attacks exploit vulnerabilities that prompt the target system to crash. In these attacks, bad actors exploit system vulnerabilities with malware that subsequently triggers a crash or severely disrupts the system.
Where the attack comes from:
DoS attacks can originate from anywhere in the world. Attackers can easily mask their whereabouts so they can overwhelm victim computers, execute malware or conduct other nefarious deeds with the peace of mind that they won’t be detected.
What Is Drive-by Download Attack?
In January 2020, visitors to the legendary zine and blog site Boing Boing saw a fake Google Play Protect overlay prompting them to download what was actually a malicious APK that installed a banking Trojan on Android devices. For Windows users, it appeared as a (fake) Adobe Flash installation page that distributed other malicious programs. Boing Boing’s content management system had been hacked. Even if the visitor didn’t take the bait, the drive-by downloads were automatically initiated by JavaScript embedded into the page. While Boing Boing was able to detect the attack and remove the script relatively quickly, given the site’s five million unique users former President Barack Obama among them the impact could have been disastrous.
What you need to know:
A drive-by download refers to the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats. Cybercriminals use drive-by downloads to steal and collect personal information, inject banking Trojans or introduce exploit kits or other malware to user devices. To be protected against drive-by downloads, regularly update or patch systems with the latest versions of apps, software, browsers and operating systems. It’s also recommended to stay away from insecure or potentially malicious websites.
How the attack happens:
What makes drive-by downloads different is that users do not need to click on anything to initiate the download. Simply accessing or browsing a website can activate the download. The malicious code is designed to download malicious files onto the victim’s device without the user’s knowledge. A drive-by download abuses insecure, vulnerable or outdated apps, browsers or even operating systems.
Where the attack comes from:
The rise of prepackaged drive-by download kits allows hackers of any skill level to launch these kinds of attacks. In fact, these kits can be purchased and deployed without the hacker writing their own code or establishing their own infrastructure for data exfiltration or other abuses. The ease with which these attacks can be executed means that they can come from virtually anywhere.
What Is Insider Threat?
Revenge. It’s a tale as old as time. In 2022, an IT specialist was charged for allegedly hacking the server of a Chicago healthcare organization. He’d had access to the server because he’d been a contractor, and he had motive. He’d been denied a job at the organization, and a few months later, he was fired by the contracting IT firm. This act of individual retaliation resulted in a cyberattack that dramatically disrupted medical examinations, treatments and diagnoses for many patients.
What you need to know:
An insider threat attack is a malicious assault carried out by insiders with authorized access to an organization’s computer system, network and resources. In this assault, attackers often aim to steal classified, proprietary or otherwise sensitive information and assets, either for personal gain or to provide information to competitors. They might also try to sabotage your organization with system disruptions that mean loss of productivity, profitability and reputation.
How the attack happens:
Malicious insiders have a distinct advantage in that they already have authorized access to an organization’s network, information and assets. They may have accounts that give them access to critical systems or data, making it easy for them to locate it, circumvent security controls and send it outside of the organization.
Where the attack comes from:
Inside attackers can be employees in the organization with bad intentions or cyberspies impersonating contractors, third parties or remote workers. They may work autonomously, or as part of nation states, crime rings or competing organizations. While they might also be remote third-party suppliers or contractors located all over the world, they usually have some level of legitimate access to the organization’s systems and data.
What Is IoT Threats?
After a data leak exposed the personal information of over 3,000 users of Ring, a home security provider owned by Amazon, hackers took advantage of the leak and hijacked video doorbells and smart cameras in people’s homes. In a 2020 class action lawsuit, dozens of people say they were subjected to harassment, threats and blackmail through their Ring devices. Researchers say these documented attacks are just the tip of the iceberg, since Ring sold more than 1.4 million video doorbells in 2020 alone. Ring has since introduced end-to-end video encryption to help protect against future hacks, but with the increasing ubiquity of IoT devices, this won’t be the last of these kinds of attacks.
What you need to know:
There are an estimated 13.1 billion connected IoT devices globally a number that is projected to increase to 30 billion by 2030. These devices often lack security infrastructure, creating glaring vulnerabilities in the network that exponentially grow the attack surface and leave it susceptible to malware. Attacks delivered over IoT devices can include DDoS, ransomware and social engineering threats.
How the attack happens:
Hackers and malicious nation states can exploit vulnerabilities in connected IoT devices with sophisticated malware to gain access to a network so they can monitor users or steal intellectual property, classified or personally identifying data and other critical information. Once they infiltrate an IoT system, hackers can also use their newly gained access for lateral movement to other connected devices or to gain entry to a greater network for various malicious purposes.
Where the attack comes from:
Attacks can come from anywhere in the world. But because many verticals such as government, manufacturing and healthcare are deploying IoT infrastructure without proper security protections, these systems are targets for attacks by hostile nation states and sophisticated cybercrime organizations. Unlike attacks against technology infrastructure, attacks against connected civic or healthcare systems could lead to widespread disruption, panic and human endangerment.
What Is IoMT Threats?
The prevalence and complexity of attacks on healthcare organizations as well as the risk to patient confidentiality and safety means providers are coming under fire when it comes to medical device security. Due to attacks such as the WannaCry ransomware attack, lawmakers have outlined the severity of cybersecurity issues plaguing legacy software and equipment. The FDA has also issued updated guidance for device manufacturers, but companies aren’t required to follow these guidelines since they’re not legal mandates.
What you need to know:
The Internet of Medical Things (IoMT) has transformed healthcare as we know it, especially in the era of COVID-19. Leveraging IoMT has the power to unleash countless opportunities in diagnosing, treating and managing a patient’s health and wellness, and holds the key to lowering cost while improving quality of care. But as the number of connected devices invariably grows, so does the cybersecurity risk. As of 2020, more than 25% of cyberattacks in healthcare delivery organizations involve IoMT.
How the attack happens:
Because digital technologies age faster than their physical counterparts which typically have a long product life cycle outdated equipment and software are creating serious cybersecurity vulnerabilities for both hospitals and patients. Currently, manufacturers don’t allow customers to troubleshoot and patch their own devices, and will even go so far as to void warranties if they do. Compounded with lack of encryption, hardcoded credentials and lax security controls, there’s little that healthcare organizations can do to mitigate risk where legacy devices are involved.
Where the attack comes from:
IoMT attackers have the ability and resources to pinpoint healthcare providers with ambiguous security ownership, as well as poor asset or inventory visibility, and out-of-date systems and devices.
What Is Macro Viruses?
One of the most infamous virus incidents of all time, the Melissa virus of the late ‘90s, was none other than a macro virus. A Melissa-infected PC would hijack the user’s Microsoft Outlook email system and send virus-laden messages to the first 50 addresses in their mailing lists. The virus propagated at an incredible speed, and caused astounding damage worldwide: an estimated $80 million for cleaning and repairing affected systems and networks. Though the heyday of the macro virus may have passed, these attacks continue, and they’re not just targeting Microsoft Windows anymore: recent attacks have targeted Mac users as well
What you need to know:
A macro virus is a computer virus written in the same macro language that is used for software applications. Some applications, like Microsoft Office, Excel and PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in emails, or emails from unrecognized senders. Many antivirus programs can detect macro viruses, however the macro virus’ behavior can still be difficult to detect.
How the attack happens:
Macro viruses are often spread through phishing emails containing attachments that have been embedded with the virus. Because the email looks like it came from a credible source, many recipients open it.
Once an infected macro is executed, it can jump to every other document on the user’s computer and infect them. Macro viruses spread whenever a user opens or closes an infected document. They run on applications and not on operating systems. The most common methods of spreading macro viruses are sharing files on a disk or network and opening a file attached to an email.
Where the attack comes from:
While macro viruses have fallen out of vogue for malicious attacks primarily because antivirus software is better able to detect and disable them they still represent a major threat. A cursory Google search for “macro virus” yields instructions for creating macro viruses and tools that assist non-coders in creating these viruses. In theory, anyone with internet access can create a macro virus with ease.
What Is Malicious PowerShell?
Attack sequences that exploit the ever-popular PowerShell are broadly attractive to top cybercriminals and cyberespionage groups because they make it easy to propagate viruses across a network. Notorious bad actors such as APT29 (aka Cozy Bear) use PowerShell scripts to gather critical intelligence to inform even more sophisticated cyberattacks.
In 2020, the notorious threat group APT35 (aka “Charming Kitten”) abused Powershell in a ransomware attack on a charity organization and to harvest and exfiltrate data from a U.S. local government.
What you need to know:
PowerShell is a command-line and scripting tool developed by Microsoft and built on .NET (pronounced “dot net”), that allows administrators and users to change system settings as well as to automate tasks. The command-line interface (CLI) offers a range of tools and flexibility, making it a popular shell and scripting language. Bad actors have also recognized the perks of PowerShell namely, how to operate undetected on a system as a code endpoint, performing actions behind the scenes.
How the attack happens:
Since PowerShell is a scripting language that runs on the majority of enterprise machines and since most companies don’t monitor code endpoints the logic behind this type of attack is abundantly clear. It’s easy to gain access, and even easier for attackers to take root in the system. Malware doesn’t need to be installed in order to run or execute the malicious script. This means the hacker can effortlessly bypass detection circumventing the analysis of executable files to wreak havoc at their leisure.
Where the attack comes from:
This type of attack is more sophisticated than other methods, and is usually executed by a power hacker who knows exactly what they’re doing (versus an amateur who might resort to brute force attacks). Ever stealth in their approach, they’re adept at covering their tracks, and know how to move laterally across a network.
What Is Man-in- the-Middle Attack?
In early 2022, Microsoft discovered a phishing campaign targeting Office365 users. The attackers spoofed a phony 365 login page, gathering credentials for later abuse and misuse. To do this, the attackers used a Evilginx2 phishing kit a man-in-the- middle (MITM) attack framework used for phishing login credentials along with session cookies, allowing bad actors to bypass two-factor authentication in order to hijack the authentication process. Microsoft added in its blog post, “Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.”
What you need to know:
The MITM attack, also known as adversary-in- the-middle (AiTM), sets up a proxy server that intercepts the victim’s log-in session, so that the malicious actor can act as a relay between the two parties or systems thereby gaining access to and/or pilfering sensitive information.
This type of attack allows a malicious actor to intercept, send and receive data intended for somebody else or that’s not meant to be sent at all without either outside party knowing, until it is too late.
How the attack happens:
Virtually anyone could execute a man-in-the- middle attack. Since the implementation of HTTPS Everywhere, however, these kinds of attacks are more difficult to execute, and are therefore more rare. In an MITM attack, the hacker sits between the user and the real website (or other user) and passes the data between them, exfiltrating whatever data they like from the interaction.
Where the attack comes from:
Because improvements in security technologies have made MITM attacks more difficult to execute, the only groups attempting them are sophisticated hackers or state actors. In 2018, the Dutch police found four members of the Russian hacking group Fancy Bear parked outside of the Organization for the Prohibition of Chemical Weapons in Holland, attempting an MITM infiltration to steal employee credentials. Later that year, the U.S. and UK governments released warnings that Russian state-sponsored actors were actively targeting routers in homes and enterprises for the purpose of MITM exfiltration.
What Is Masquerade Attack?
Many of us still remember when Target experienced a massive credit card breach affecting over forty million customer accounts. The states’ investigation into the breach revealed that attackers stole the credentials of Target’s HVAC contractor, Fazio Mechanical Services. After using the third-party vendor’s details to get into Target’s internal web application, they installed malware on the system and captured names, phone numbers, payment card numbers, credit card verification codes and other highly sensitive information.
What you need to know:
A masquerade attack happens when a bad actor uses a forged or legitimate (but stolen) identity to gain unauthorized access to someone’s machine or an organization’s network via legitimate access identification. Depending on the level of access the permissions provide, masquerade attacks could give attackers access to an entire network.
How the attack happens:
A masquerade attack can happen after users’ credentials are stolen, or through authenticating on unguarded machines and devices which have access to the target network.
Where the attack comes from:
From an insider angle, attackers can get access by spoofing login domains or using keyloggers to steal legitimate authentication credentials. The attacks can also happen physically by taking advantage of targets who leave machines unguarded like a coworker accessing someone’s laptop while they’re away. Generally speaking, weak authentication methods that can be duped by external parties are usually the source of the problem.
What Is Meltdown and Spectre Attack?
Most cybersecurity attacks exploit a vulnerability, such as a coding mistake or bad design. But not all attacks are created equal. In 2018, two Google researchers discovered a new type of attack that affected all computer chip makers and potentially exposed billions to the meltdown and spectre attack.
What you need to know:
The meltdown and spectre attack exploits vulnerabilities in computer processors. These vulnerabilities allow attackers to steal almost any data that is being processed on the computer. This is an attack that strikes at the core of computer security, which relies on the isolation of memory to protect a user’s information.
A “meltdown” refers to the breakdown of any protective barrier between an operating system and a program, while “spectre” indicates the breakdown between two applications that keep information from each other.
How the attack happens:
A meltdown and spectre attack exploits critical vulnerabilities in modern CPUs that allow unintended access to data in memory storage. The attack breaks the norm of computing where programs are not allowed to read data from other programs. The type of information that attackers typically target are passwords stored in a password manager or browser as well as emails, financial records and personal information such as photos and instant messages. But this attack is not limited to personal computers. It can target almost any device with a processor, such as a mobile phone or tablet.
Where the attack comes from:
The spectre and meltdown attack can originate from nearly anywhere, and much of the research thus far has focused on this attack’s unique nature instead of who’s behind it.
What Is Network Sniffing?
Smart locks are a new type of device intended to protect your home and make it easier to enter with the click (or, more appropriately, tap) of a button. But taking a more futuristic approach to fortifying your house can have serious consequences, security researchers have found. One smart lock, not-so-aptly marketed as the “smartest lock ever,” could be intercepted via network traffic between the mobile app and the lock itself. Scarier yet, this can be done through inexpensive, readily available network-sniffing devices.
What you need to know:
Network sniffing, also known as packet sniffing, is the real-time capturing, monitoring and analysis of data flowing within a network. Whether it’s via hardware, software or a combination of both, bad actors use sniffing tools to eavesdrop on unencrypted data from network packets, such as credentials, emails, passwords, messages and other sensitive information.
How the attack happens:
Much like wiretapping scenarios in which someone listens in on phone calls for sensitive details, network sniffing works in the background, silently listening in as information is exchanged between entities on a network.
This happens when attackers place a sniffer on a network via the installation of software or hardware plugged into a device that allows it to intercept and log traffic over the wired or wireless network the host device has access to. Due to the complexity inherent in most networks, sniffers can sit on the network for a long time before being detected.
Wherecthe attack comes from:
Network sniffing is often conducted legally by organizations like ISPs, advertising agencies, government agencies and others who need to verify network traffic.
But it can also be launched by hackers doing it for the “lulz” or nation-states looking to pilfer intellectual property. Like ransomware, network sniffers can be injected into the network by getting the right person to click on the right link. Insider threats with access to sensitive hardware could also be a vector for attack.
What Is Open Redirection?
In 2022, yet another phishing campaign targeting Facebook users was discovered to have netted hundreds of millions of credentials. The technique used was a common one: A link is sent via DM from a compromised Facebook account, then that link performs a series of redirects, often through malvertising pages to rack up views and clicks (and revenue for the attacker), ultimately landing on a fake page. Though the technique of host redirection, also known as open redirect, isn’t new, the sheer scale of this campaign is remarkable. Researchers found that just one phishing landing page out of around 400 had 2.7 million visitors in 2021, and 8.5 by June of 2022. In an interview with researchers, the attacker boasted of making $150 for every thousand visits from U.S. Facebook users, which would put the bad actor’s total earnings at $59 million.
What you need to know:
Host redirection attacks are very common and increasingly subversive, as hackers become more creative about how they lure their targets. Attackers use URL redirection to gain a user’s trust before they inevitably strike. They’ll typically use embedded URLs, an .htaccess file or employ phishing tactics in order to redirect traffic to a malicious website.
How the attack happens:
The hacker might send a phishing email that includes a copycat of the website’s URL to the unsuspecting victim. If the website appears legitimate, users might inadvertently share personal information by filling out any prompts or forms that appear. Attackers can take this to the next level by embedding faux command- and-control domains in malware, and hosting malicious content on domains that closely mimic corporate servers.
Where the attack comes from:
The origins of this attack are not as important as the target. This attack is usually aimed at unsophisticated internet users who won’t notice that the URL of their favorite domain is a letter or two off. And because this attack prides itself on simplicity (it can be as easy as registering a domain name), it can originate from almost anywhere.
What Is Pass the Hash?
The infamous breach of over 40 million Target customer accounts was successful partly due to the well-known attack technique called pass the hash (PtH). The hackers used PtH to gain access to an NT hash token that would allow them to log-in to the Active Directory administrator’s account without the plaintext password thereby giving them the necessary privileges to create a new domain admin account, later adding it to the Domain Admins group. This root in the system gave them the opportunity to steal personal information and payment card details from Target’s customers.
What you need to know:
Pass the hash allows an attacker to authenticate a user’s password with the underlying NTLM or LanMan hash instead of the associated plaintext password. Once the hacker has a valid username along with their password’s hash values, they can get into the user’s account without issue, and perform actions on local or remote systems. Essentially, hashes replace the original passwords that they were generated from.
How the attack happens:
On systems using NTLM authentication, a user’s password or passphrase is never submitted in cleartext. Instead, it’s sent as a hash in response to a challenge- response authentication scheme. When this happens, valid password hashes for the account being used are captured using a credential access technique.
Where the attack comes from:
This type of attack is more sophisticated than other methods, and is usually executed by highly organized, motivated threat groups with their sights set on a specific organization or person, and with a mind to political or financial gain.
What Is Phishing?
When it comes to phishing attacks, there are a few that stand out above the rest like the now-infamous attack on Sony’s network. Hackers executed the attack by sending phishing emails requesting verification for Apple IDs to system engineers, network administrators and other unsuspecting employees with system credentials. The attackers absconded with gigabytes worth of files, which included emails, financial reports and digital copies of recently released films. On top of that, the malicious actors then infused Sony’s workstation computers with malware that erased the machines’ hard drives. A few weeks later, the FBI formally pointed to the North Korean government as the masterminds behind the attack
What you need to know:
A phishing attack tricks everyday consumers, users or employees into clicking on a malicious link, often driving them to a bogus site to provide personally identifiable information such as banking account numbers, credit card information or passwords, delivered via email, direct message or other communication.
Be wary while these bogus sites may look convincing, attackers will harvest any information you submit to them. Or they may launch malware aimed at stealing funds from your accounts, personally identifiable customer information or other critical assets.
How the attack happens:
Typically you’ll be lured by an email impersonating someone you know a message that appears to be from a manager or coworker, for example compelling you to open malicious attachments or click links that lead you to webpages practically identical to legitimate sites.
Where the attack comes from:
Just a few decades ago, a large number of phishing attacks were sourced to Nigeria in what were known as 419 scams, due to their fraud designation in the Nigerian criminal code. Today, phishing attacks originate from all over the world, with many occurring in BRIC countries (Brazil, Russia, India and China), according to the InfoSec Institute. Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the gamut from individual hackers to organized cybercriminals
What Is Phishing Payloads?
One of the biggest cybercrimes ever with the highest number of defendants charged for the same crime was what the FBI called Operation Phish Phry. The attack sparked a multinational phishing investigation after targeting hundreds of bank and credit card customers, all of whom received emails with links to fake, but authentic-looking, financial websites. On the site, targets were asked to enter their account numbers and passwords into fraudulent forms.
What you need to know:
Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email.
These emails use fraudulent domains, email scraping techniques, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept.
The “payload” refers to the transmitted data that is the intended message. Headers and metadata are only sent to enable the delivery of the payload to the correct person.
How the attack happens:
This attack has a typical attack pattern: First, the attacker sends a phishing email and the recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file. Second, the .lnk file executes a PowerShell script and lastly the Powershell script executes a reverse shell, rendering the exploit successful.
Where the attack comes from:
Because this attack doesn’t require a high level of sophistication, and because phishing is at the center of most cyberattacks, it can originate from anywhere in the world. Operation Phish Phry is a perfect example of this. In this attack, the FBI arrested more than 50 people in California, Nevada, and North Carolina, while also charging about 50 Egyptian nationals in connection with the attack.
What Is Spear Phishing?
These days spear phishers are not only targeting bigger fish, they’re taking a page from the book of romance scams, luring victims with attractive fake profiles to get them to download malware onto their computers. In 2021, researchers identified a years-long social engineering and targeted malware attack sourced to the renowned Iranian-state aligned threat actor TA456. Using a fake social media profile “Marcella Flores,” TA456 built a romantic relationship with an employee of a small aerospace defense contractor subsidiary. The attacker cashed in a few months later by sending out a large malware file via an ongoing corporate email communication chain with the aim of conducting reconnaissance. Once the malware, dubbed LEMPO, infiltrated the machine, it exfiltrated data and sent highly sensitive information back to the attacker, while obfuscating its whereabouts to evade detection.
What you need to know:
A subset of phishing, spear phishing occurs when cybercriminals selectively target victims with a specific, personalized email message to trick targets or a target company’s employees into giving away financial or proprietary data, or unlocking access to the network. Spear phishers target individuals who either have access to sensitive information or are weak links to the network. High- value targets, such as C-level executives, company board members or administrators with elevated privileges, are especially vulnerable, since they have access to critical systems and proprietary information.
How the attack happens:
Spear phishers do their research to identify targets and their professional positions using social media sites like LinkedIn. From there, they spoof addresses to send highly personalized, authentic-looking messages to infiltrate the target’s infrastructure and systems. Once hackers gain access to the environment, they attempt to carry out even more elaborate schemes.
Where the attack comes from:
Individuals and organizations alike are behind this attack. However, many high-profile spear phishing attempts are sourced to state- sponsored cybercrime organizations, which have the resources to research their targets and bypass strong security filters.
What Is Whale Phishing? (Whaling)
Why go after little phish when you can phish a whale? In 2020, Australian hedge fund Levitas Capital found that out the hard way when attackers launched a stealthy whaling attack aimed directly at one of the founders. The bad actors gained entry to the hedge fund’s network after sending the executive a fake Zoom link that installed malware once it was clicked. The malicious code allowed the attackers to infiltrate the targeted email account and subsequently create bogus invoices to the fund’s trustee and third party administrator, which initiated and approved cash transfer requests resulting in $8.7 million in theft.
The bogus invoices also included a request for a $1.2 million payment to suspicious private equity firm Unique Star Trading. The losses were so damaging and extensive that the firm was eventually forced to permanently close.
What you need to know:
Whaling is when hackers go after one single, high-value target, such as a CEO. The target is always someone specific, whereas a phishing email may go after anyone at a company. The hackers also usually go after high-profile targets because they may possess important or sensitive information.
How the attack happens:
The technique used in a whaling attack is a classic phishing practice. The target receives an authentic-looking email, usually asking them to click on a link that contains malicious code or leads to a website that asks for sensitive information, such as a password.
Where the attack comes from:
Phishing is the most common entry point for a cyberattack, which means a whaling attack can originate from anywhere in the world.
The Levitas Capital attack, for example, was sourced to a collective of cybercriminals from various regions, with payments sent to Bank of China and United Overseas Bank in Singapore.
What Is Privileged User Compromise?
In early 2022, the criminal hacking group Lapsus$, allegedly run by a teenager from Oxford, England, boasted publically that it had successfully hacked Okta, a single sign-on provider used by thousands of organizations and governments worldwide.
Lapsus$ gained access to a “super user” administrative account for Okta via a third-party support engineer and had access to the employee’s laptop for five days, including privileged access to some Okta systems. The cybercrime group posted about the attack on its Telegram channel, even going so far as to post screenshots showing it was inside Okta’s systems. But it wasn’t after Okta, exactly the real targets were Okta’s thousands of customers. A week later, the hacking group added 15,000 followers to their Telegram channel, raising fears that more attacks are imminent.
What you need to know:
It’s widely accepted that many serious data breaches can be traced back to the abuse of privileged credentials. These are accounts with elevated privileges, such as users with domain administrator rights or root privileges. Attackers are increasingly using privileged user credentials to access an organization’s resources and information and exfiltrate sensitive data. An attacker that gains access to privileged user credentials can take control of an organization’s infrastructure to modify security settings, exfiltrate data, create user accounts and more, all the while appearing legitimate and therefore harder to detect.
How the attack happens:
Attackers attempt to gain access to privileged accounts by using social engineering techniques, sending spear-phishing messages, using malware, or “pass the hash” attacks.
Organizations have opened their networks to cope with an increasingly mobile, remote workforce, and enable a complex web of remote access used by suppliers and service providers. Many of those connections, including to the cloud, are accessed through powerful privileged account credentials, and finding, controlling and monitoring access to them all is challenging, giving bad actors plenty of openings.
Once armed with the credentials, attackers get in and grab what they can, such as SSH keys, certificates and domain administration hashes. And it takes only one successful account hit to cause a major data breach that can bring an organization to its knees.
Where the attack comes from:
Because it provides attackers with hard to detect, wide access to all kinds of data privilege, user compromise is widely appealing and commonly used in cyberattacks of various kinds, whether nation-state cyber espionage motivated by political ideology or sophisticated, financially-motivated cybercrime groups like Lapsus$.
What Is Ransomware?
According to cybersecurity company Emsisoft, ransomware attacks affected at least 948 government agencies, educational establishments and healthcare providers in the United States in 2019, at a potential cost exceeding $7.5 billion.
In the medical sector, the potential effects of these kinds of attacks include patients being redirected to other hospitals, medical records being made inaccessible (or permanently lost) and emergency dispatch centers relying on printed maps and paper logs to keep track of emergency responders in the field. In government, local 911 services can be disrupted. And according to Manhattan D.A. Cyrus Vance Jr., the effect of ransomware could be as devastating and costly as a natural disaster like Hurricane Sandy.
What you need to know:
Ransomware is an attack where an infected host encrypts a victim’s data, holding it hostage until they pay the attacker a fee. Recent ransomware attacks have demonstrated that hackers have begun threatening to leak or sell the stolen data, increasing the potential damage of these kinds of attacks by orders of magnitude.
There are countless types of ransomware, but certain groups are especially nefarious. One well-known gang, Blackmatter, has targeted a number of organizations critical to the U.S. economy and infrastructure, including the food and agriculture industry. Ryuk is another type of ransomware to watch out for. As of 2019, Ryuk had the highest ransom on record at $12.5 million.
How the attack happens:
Attackers can deploy ransomware to businesses and individuals through spear phishing campaigns and drive-by downloads, as well as through traditional remote service- based exploitation. Once the malware is installed on the victim’s machine, it either prompts the user with a pop-up or directs them to a website, where they’re informed that their files are encrypted and can be released if they pay the ransom.
Where the attack comes from:
Ransomware has typically been the work of advanced cybercriminal groups who remain anonymous after extorting governments or major enterprises requires technological sophistication. However, since the arrival of cryptocurrencies, which simplify anonymous transactions, the general population is at greater risk of ransomware attack.
What Is Ransomware-as-a-Service?
Ransomware-as-a-Service (RaaS) is created for extortion over stolen or encrypted data, known as ransomware. The author of the ransomware makes the software available to customers called affiliates, who use the software to hold people’s data hostage with little technical skill. WannaCry had one of the largest RaaS attack vectors to date, with upwards of 400,000 computers infected across 150 countries. WannaCry infiltrated networks using the EternalBlue vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. A cyberattack exploit originally developed by the U.S. National Security Agency (NSA), they did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced the agency to come clean about the issue.
What you need to know:
RaaS is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers.
How the attack happens:
Ransomware is an ever-present risk to enterprises, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. Attackers can deploy ransomware to enterprises through spearphishing campaigns and drive-by downloads, as well as through traditional remote service-based exploitation.
Where the attack comes from:
Because RaaS kits are relatively easy to use and very easy to find on the dark web, where they are widely advertised, this attack could come from any beginning hacker with the money to buy a kit.
What Is Router and Infrastructure Security?
Cisco was the victim of a router and infrastructure attack in which a router “implant,” dubbed SYNful Knock, was reportedly found in 14 routers in four different countries. SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. Mandiant describes it as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.
What you need to know:
Router implants have been rare, and are largely believed to be theoretical in nature and use.
However, recent vendor advisories indicate that these have been seen in the wild. The initial infection vector does not appear to leverage a zero-day vulnerability. It is believed that the credentials are either default or discovered by the attacker in order to install the backdoor. However, the router’s position in the network makes it an ideal target for re- entry or further infection.
How the attack happens:
Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Attackers compromise network devices and can then obtain direct access to the company’s internal infrastructure effectively increasing the attack surface and accessing private services/data.
Where the attack comes from:
Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems and implement cryptographic weakened algorithms to more easily decrypt network traffic.
What Is Shadow IT?
As software-as-a-service applications have become increasingly quick and easy to use, employees can now download solutions onto their workstations to help them get the job done.
However, many are using these applications with little regard for security. It’s not surprising then that a 2019 Forbes Insights survey titled “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?” found that more than one in five organizations experienced a cyber incident originating from an unauthorized or “shadow” IT resource.
What you need to know:
Shadow IT refers to IT applications and infrastructure that employees use without the knowledge and/or consent of their organization’s IT department. These can include hardware, software, web services, cloud applications and other programs.
In general, well-intentioned employees innocently download and use these applications to make their work easier or more efficient. It’s a phenomenon so pervasive that Gartner had estimated that a third of all enterprise cybersecurity attacks would be from shadow IT resources in 2020. Because users are accessing these applications largely under the radar, they are often unintentionally opening the floodgate for insider threats, data breaches and compliance violations.
How the attack happens:
As the name suggests, the secretive nature of shadow IT is due to employees sharing or storing data on unauthorized cloud services, setting the stage for a host of security and compliance risks. Breaches can occur when employees upload, share or store critical or regulated data into shadow IT apps without appropriate security and data loss prevention (DLP) solutions. The exposed information then provides an easy target for insider threats and data theft, and can also lead to costly compliance violations. In addition, the applications themselves might be fraught with endpoint vulnerabilities and security gaps.
Where the attack comes from:
In this case, the threat originates from within an organization. Employees using shadow IT apps often do so to get around a prohibitive policy or to get work done faster not necessarily to put their employers and coworkers at risk. However, they ultimately leave the door wide open for malicious insiders or external hackers looking to exploit security holes in these systems.
What Is Simjacking?
On August 30, 2019, Twitter CEO Jack Dorsey’s 4.2 million followers were subjected to a stream of deeply offensive messages, courtesy of a group of hackers called the “Chuckling Squad.” The group used simjacking to gain control of Dorsey’s phone number, then used a text-to-tweet service acquired by Twitter to post the messages. Despite the messages being visible online for fewer than ten minutes, millions of people were exposed to the offensive tweets.
What you need to know:
SIMjacking (also known as a SIM swap scam, port-out scam, SIM splitting and SIM swapping) is a type of account takeover that generally targets a weakness in two-factor authentication and two-step verification in which the second factor is a text message (SMS) or call placed to a mobile telephone. Simply put, simjacking is when an attacker impersonates a target to a cellular provider in order to steal their cell phone number by having it transferred to a different SIM card (which is already in the hacker’s possession).
How the attack happens:
A hacker calls the support line for a mobile service provider, pretending to be the target, saying they’ve lost their SIM card. They can verify their identity because they have acquired some amount of the target’s personal information (address, passwords or SSN) through one of the many database hacks- in the last decade. The service provider’s employee, having no way of knowing that the person on the other end of the line is not who they say they are, makes the switch. Instantly, that phone number the key associated with so much of digital life is under the attacker’s control.
Where the attack comes from:
Simjackers are typically looking to extort victims for something of great value like Bitcoin or other cryptocurrency wallets or high-value social media accounts or to cause harm to their reputations, as Chuckling Squad did with Jack Dorsey. These hackers can come from anywhere in the world, and can be members of organized groups or solitary actors.
What Is Social Engineering Attack?
The 2002 film “Catch Me If You Can” tells the true story of (perhaps) one of the most accomplished practitioners of social engineering of all time. In the film, Leonardo DiCaprio portrayed a man named Frank W. Abagnale, Jr., who executed various high-profile cons, committed bank fraud and masqueraded in a variety of personas, including as a physician and pilot. Abagnale’s success depended on his ability to convince his victims that his forgeries, whether they were checks, diplomas or identities, were genuine. Abagnale was an active con man in the ‘60s and ‘70s, but the practice of social engineering has continued to develop and remains a powerful tool for hackers and fraudsters to gain access to closed systems around the world.
What you need to know:
Social engineering is the term used for a broad range of malicious activities accomplished through psychological manipulation to trick users into making security mistakes or giving away sensitive information. What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify
and thwart than a malware-based intrusion.
How the attack happens:
Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are five common forms of digital social engineering assaults. A perpetrator first investigates the intended victim to gather the necessary background information such as potential points of entry and weak security protocols needed to proceed with the attack. Then, the attacker gains the victim’s trust and provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
Where the attack comes from:
Social engineering can take many forms and come from many sources and motivations. Most commonly, it comes in the form of phishing emails. Other forms include pretexting, where the attacker creates a good pretext to steal important data; baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials; and tailgating or piggybacking, in which an attacker gains access to a restricted area of a business by following an authenticated employee through secure doors.
What Is Spyware?
It’s no secret that spyware attacks continue to occur with alarming frequency. But if you’re a high-profile figure, you’re likely a bigger target.
In May of 2021, officials announced that bad actors had targeted the cellphones of Spanish Prime Minister Pedro Sánchez and Defense Minister Margarita Robles in several attacks using the Pegasus spyware, resulting in significant data theft from both devices while wreaking havoc on Spain’s administrators and government systems.
What you need to know:
Spyware is a type of malware that aims to gather personal or organizational data, track or sell a victim’s web activity (e.g. searches, history and downloads), capture bank account information and even steal a target’s identity. Multiple types of spyware exist, and each one employs a unique tactic to track the victim. Ultimately, spyware can take over a device, exfiltrating data or sending personal information to another unknown entity without prior knowledge or consent.
How the attack happens:
Spyware can install itself on a victim’s device through various means, but will commonly get a foothold in a system by duping the target or exploiting existing vulnerabilities. This can happen when a user carelessly accepts a random prompt or pop-up, downloads software or upgrades from an unreliable source, opens email attachments from unknown senders, or pirates movies and music.
Where the attack comes from:
Thanks to crimeware kits that are now readily available, this type of attack can come from anyone and anywhere. But more often than not, they’ll originate from nefarious organizations looking to sell a victim’s information to a third-party.
What Is SQL Injection?
Structured Query Language, or SQL (sometimes pronounced “sequel”), is the standard programming language used to communicate with relational databases systems that support every data-driven website and application on the internet. An attacker can take advantage of this (very common) system by entering a specific SQL query into the form (injecting it into the database), at which point the hacker can access the database, network and servers. And SQL injection attacks continue to be a popular attack method. As recently as August of 2020, the Freepik Company disclosed a data breach impacting the logins of more than eight million users resulting from an SQL injection in a global database of customizable icons, which allowed the hackers to access and ultimately steal user login and personal information.
What you need to know:
SQL injection is a type of injection attack used to manipulate or destroy databases using malicious SQL statements. SQL statements control the database of your web application and can be used to bypass security measures if user inputs are not properly sanitized.
How the attack happens:
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
Where the attack comes from:
Because so much of the internet is built on relational databases, SQL injection attacks are exceedingly common. Searching the Common Vulnerabilities and Exposures database for “injection” returns 15,000 results
What Is Supply Chain Attack?
The SolarWinds attacks, which some experts have called the worst series of cybersecurity attacks in history, are a prime example of the damage a supply chain attack can inflict. In 2020, sophisticated attackers believed to have been directed by the Russian intelligence service, compromised SolarWinds software. They embedded it with malware that was then deployed through a product update, giving them backdoor access to all of SolarWinds Orion Platform customers’ networks. Up to 18,000 customers installed updates that left them vulnerable to hackers, including Fortune 500 companies and multiple agencies in the U.S. government. As Tim Brown, vice president of security at SolarWinds, said recently, “it’s really your worst nightmare.”
What you need to know:
A supply chain attack is a powerful cyberattack that can breach even the most sophisticated security defenses through legitimate third- party vendors. Because vendors need access to sensitive data in order to integrate with their customers’ internal systems, when they are compromised in a cyberattack, often their customers’ data is too. And because vendors store sensitive data for numerous customers, a single supply chain attack gives hackers access to the sensitive data of many organizations, across many industries. The severity of supply chain attacks cannot be overstated. And the recent spate of these attacks suggests this method is now the state actors’ attack du jour.
How the attack happens:
A supply chain attack uses legitimate, trusted processes to gain full access to organizations’ data by targeting the vendor’s software source code, updates or build processes. They are difficult to detect because they happen at an offset to the attack surface. Compromised vendors then unwittingly transmit malware to their customer network. Victims can be breached through third-party software updates, application installers and through malware on connected devices. One software update can infect thousands of organizations, with minimal effort from the hacker, who now has “legitimate” access to move laterally across thousands of organizations.
Where the attack comes from:
Supply chain attacks are large-scale, sophisticated attacks perpetrated by sophisticated threat actors, often nation- state sponsored and ideologically motivated, though financial gain is also a big motivation.
What Is Suspicious Cloud Authentication Activities?
Now more than ever, identity access management (IAM) has become a critical part of cloud security. In 2022 alone, 84% of organizations fell victim to identity-related breaches, with 96% reporting that the breach could have been avoided or minimized by implementing identity-centric security.
Without the correct technologies and policies in place (e.g. zero trust and vendor management), identifying anomalous behavior via authentication and authorization can be incredibly tricky. As a result, these attacks often go undetected, as the authentication performed by a bad actor can look the same as a legitimate user, depending on how expansive the IAM framework in place is (let alone if it even exists).
What you need to know:
Organizations need to move away from network security in order to better protect and authenticate user identities. Up until recently, however, this was much easier said than done. Certain technologies simply lacked the necessary integration capabilities, limiting an organization’s ability to centrally monitor the overall security of their resources.
Now there are countless technologies available that revolve around access control, like multifactor authentication (MFA). To avoid illegitimate authentication on cloud applications, no user or device whether internal or external to the organization should be implicitly trusted, and access
to all resources should be explicitly and continuously authenticated and authorized.
How the attack happens:
The threat or attacker can easily penetrate the network/breach the perimeter when there’s a distinct lack of or a weak IAM framework, and when an organization is still relying on network/endpoint security. In both instances, because the identity access controls are so lax, the attacker can easily log in with the stolen credentials without being detected, and then move laterally across the network, as well as any connected systems, compromising assets and causing irrevocable damage ultimately giving them free reign.
Where the attack comes from:
Between the growing number of phishing attacks, increasing number of user identities and the continued growth of cloud adoption, this type of attack can come from anywhere, including third-party vendors, employees, remote workers and contractors.
What Is Suspicious Cloud Storage Activities?
According to the 2022 Verizon Data Breach Investigations Report (DBIR), a staggering 82% of breaches involve a “human element,” with “miscellaneous errors” on the rise due to misconfigured cloud storage. The Sensitive Data in the Cloud report also found that the majority of security and IT professionals (67%) are storing sensitive data in public cloud environments, with a third of respondents saying that they weren’t confident or only slightly confident about their ability to protect sensitive data in the cloud.
This type of technical and professional oversight whether it involves a misconfigured database or security teams lacking the necessary know-how is exactly why cloud accounts have become a prime target in this era of remote work.
What you need to know:
Now that data is widely (and all too often, haphazardly) dispersed across the cloud, attackers have ample opportunity to find and exploit both known and unknown vulnerabilities. This is especially true as organizations hurriedly migrate to the cloud, potentially compromising or misconfiguring certain security controls.
To complicate matters further, assets and applications need to be secured per the shared responsibility model, where cloud service providers (CSPs) will cover certain elements, processes and functions, but then the customer is responsible for securing its proprietary data, code and any other assets of note, per the cloud security alliance (CSA). But when that responsibility is shirked, hackers inevitably abound.
How the attack happens:
An attack on cloud storage happens when a bad actor gets a foothold within the organization’s cloud infrastructure due to incorrect, lax or nonexistent security settings. Once inside, they’ll start disabling certain controls, like access monitoring. They may create new accounts for continued access, while executing commands that aren’t typical for the type of user or system in question.
They could also change the policies of certain storage buckets, so that an organization’s files are accessible to the public, leading to data exfiltration. Fortunately, these are all notable events, and will be easy to track and identify in the CSP’s audit logs.
Where the attack comes from:
One example of how this can happen is if a developer runs an outdated instance of a cloud function or application. This could contain known vulnerabilities that were eventually patched in a later version. But since an older program is running, attackers can use this as an entry point before they move laterally across the cloud environment.
What Is Suspicious Okta Activity
Okta is often the gateway to enterprise applications and accounts a fact not lost on hackers. If exploited, the SSO flaw allows hackers to abuse credentials of existing accounts for unauthorized access, persistence, privilege escalation and defense evasion. Once credentials are compromised, attackers can then bypass access controls to gain entrance to VPNs, Outlook Web Access and remote desktop. Adversaries can also use compromised credentials to elevate their privileges to certain systems or gain entry to restricted areas of the network, while also using malware to steal information and/or obfuscate their presence. In one attack scenario, hackers can take over inactive accounts of employees who have left the organization and use their credentials to gain access to critical systems for data and identify theft activities.
What you need to know:
Okta is the leading single sign on provider, allowing users to authenticate once to Okta, and from there access a variety of web- based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. Okta also provides centralized logging to help understand how the applications are used and by whom.
While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications
How the attack happens:
Once exploited, this vulnerability enables a credential stuffing attack, in which the bad actor acquires usernames and passwords from a variety of sources such as breached websites, phishing attacks and password dump sites. By conducting brute force attacks with the help of automated tools, the adversary tests those credentials at scale against a plethora of websites to see if any logins are successful and gain access to the site. From there, attackers have the ability to launch any number of attacks, including launching phishing or spam campaigns, accessing PII and other sensitive information, and financially draining stolen accounts.
Password spraying attacks, which are essentially brute force attacks, feed numerous usernames into an automated program that attempts to guess associated passwords.
As the name implies, it relies on a “spray” technique in the hopes that one of the username/password combinations is correct. And it only takes one.
Where the attack comes from:
These attacks can essentially come from anywhere. While it is possible that they can be traced to sophisticated cybercrime networks, they can also be executed by less sophisticated, individual, remote hackers with access to automated tools that can conduct a copious number of brute force attacks at once.
What Is Suspicious Zoom Child Processes?
Video-conferencing giant Zoom has emerged as the top enterprise video communications platform over the last several years. Its usage has increased dramatically with an upsurge of remote workers, attributed largely to shelter-in-place mandates following the COVID-19 pandemic. However, as Zoom’s popularity soared, flaws in both Windows and macOS systems have correspondingly received increased scrutiny by bad actors, who have increasingly relied on this attack vector to gain unauthorized access and escalate privileges onto targeted systems including exploiting a local library validation function in Zoom to completely hijack an unsuspecting user’s webcam and microphone. Plausible attack scenarios could mean that attackers use their ill-gotten privileges to spy on targeted users, either in their personal lives or during important meetings where sensitive information is being shared.
What you need to know:
Essentially, these local privilege escalation flaws take advantage of Zoom’s software architecture designs. These exploits can be launched by a local attacker, in which the adversary is someone who already has physical control of a vulnerable computer.
Once the bugs are exploited, attackers can gain and sustain persistent access to various functions of a victim’s computer, which allows them to install ransomware, Trojans, spyware and numerous other types of malicious code into targeted systems for nefarious purposes.
How the attack happens:
One way this attack can happen is through the Zoom installer designed to install the Zoom MacOS app without any user interaction. In this scenario, a local adversary with low-level user privileges can inject the Zoom installer with malware to obtain highest, root-level privileges that allow them to access the underlying Mac operating system, making it easier to run malware or spyware without the consent or knowledge of the user.
Another bug exploits a flaw in zoom’s local library validation function. An attacker can load a malicious third-party library into Zoom’s process/address space, which automatically inherits all Zoom’s access rights, and gain control over camera and microphone permissions without the user’s knowledge or consent.
Where the attack comes from:
What makes this particular vulnerability unique is that an attacker needs physical access to a victim’s computer in order to exploit its multiple flaws. So this attack either comes from the inside, or from hackers who have gained access to a lost or stolen laptop or computer system. Another attack scenario includes a post-malware infection that could be perpetrated by a remote adversary, but with pre-existing access to the targeted system, likely via a prior malware exploit.
What Is System Misconfiguration?
A little mistake can have drastic consequences. Nissan North America found that out after the source code of mobile apps and internal tools was leaked online due to a system misconfiguration. The mishap was sourced to a Git server that was left exposed on the internet with a default username and password combo of an admin, who thus learned of the leak from an anonymous source. Among other things, the leak contained source code data from Nissan NA Mobile apps, client acquisition and retention tools, market research tools and data, the vehicle logistics portal and vehicle connected services.
What you need to know:
Security misconfiguration is a widespread problem that can put organizations at risk thanks to incorrectly configured security controls (or lack thereof). This can happen at almost any level of the IT and security stack, ranging from the company’s wireless network, to web and server applications, to custom code.
How the attack happens:
This type of attack usually happens because of missing patches, use of default accounts, unnecessary services, insecure default configuration and poor documentation. This could be attributed to everything from a failure to set a security header on a web server, to forgetting to disable administrative access for certain levels of employees. This attack can also happen when hackers take root in legacy applications with inherent misconfigurations due to a lack of updates.
Where the attack comes from:
Misconfiguration isn’t considered a malicious act in and of itself, but instead is mostly due to being a result of human error. However, attackers may know where to look if they suspect a lax level of configuration across a certain organization’s IT stack.
What Is Typosquatting?
Noblox.js is a wrapper for the Roblox API, a function widely used by many gamers to automate interactions with the popular Roblox gaming platform. The software also appears to be attracting a new crowd. In 2021, hackers launched typosquatting attacks via the noblox.js package by uploading confusingly similar packages laden with ransomware to a registry for open source JavaScript libraries, and then distributing the infected files via a chat service.
However, since September of 2021, gamer Josh Muir along with several others have actively been cracking down on the attackers, attempting to prevent the proliferation of ransomware through the noblox.js package and other code libraries, and thwart further attacks on the gaming community.
What you need to know:
Typosquatting is a phishing attack where attackers take advantage of commonly misspelled domain names. Often times, the guilty party isn’t actually looking to carry out an attack, but instead is holding out hope that a company, brand or person will buy the domain off them. But in other cases, thieves create malicious domains that closely resemble those of legitimate brands.
How the attack happens:
This is not a sophisticated attack. It can be as simple as a 14-year-old registering a domain and then installing malicious code on said domain. The malicious form of this attack usually involves a hacker using faux domains to mislead users into interacting with malicious infrastructure.
Even for users familiar with these risks, human error is a fact of life, and most adversaries are all too aware of this reality and will take advantage of it whenever possible like phishing with look-alike addresses, embedding fake command-and-control domains in malware, and hosting malicious content on domains that closely mimic corporate servers.
.
Where the attack comes from:
The origins of this attack are not as important as the target. This attack is usually aimed at unsophisticated internet users who won’t notice that the URL of their favorite domain is a letter or two off. And because this attack is so simple (it can be as easy as registering a domain name), it can originate from almost anywhere
What Is Watering Hole Attack?
In what became a classic watering hole attack, a Florida water and wastewater treatment facility contractor inadvertently hosted malicious code on its website, leading to the reported Oldsmar water plant hack in 2021. The cybercriminals behind the attack seemed to have a distinct audience in mind the malicious code found on the contractor’s site also appeared to target other Florida water utilities, and perhaps not surprisingly, was visited by a browser sourced to the city of Oldsmar on the same day of the hack. While the website didn’t launch exploit code, it instead injected malware that functioned as a browser enumeration and fingerprinting script designed to glean information from site visitors, including operating system, browser type, time zone and presence of camera and microphone, which it then sent to a remote database hosted on a Heroku app site that also stored the script.
What you need to know:
Like a literal watering hole, a watering hole attack is one in which the user’s computer is compromised by visiting an infected website with malware designed to infiltrate their network and steal data or financial assets.
The specific technique is essentially a zero- day attack the goal being to infect the computer system to gain access to a network for financial gain or proprietary information.
How the attack happens:
The attackers will first profile their target to determine the websites they frequently visit, and from there, will look for vulnerabilities.
By exploiting identified flaws, the attacker compromises these websites and then waits, knowing it’s only a matter of time before the user in question visits. The compromised website will, in turn, infect their network, allowing attackers to gain entry into their entire system and then move laterally to other systems.
Where the attack comes from:
While they come from all over, many of the cybercriminals behind this attack originate where organized threat groups flourish, such as Russia, Eastern Europe and China. In 2018, a country-level watering hole attack was sourced to the Chinese threat group known as “LuckyMouse” (aka Iron Tiger, “EmissaryPanda”, “APT 27” and “Threat Group 3390”), known for targeting government, energy and manufacturing sectors with numerous types of attacks, including watering hole assaults.
What Is Web Session Cookie Theft?
Almost every web application we use, from social media and streaming platforms to cloud services and financial applications, runs on authentication cookies. Though cookies make our experience on the web much more convenient, they also create a vulnerability that can be abused to great effect. In late 2019, a group of loosely connected hackers made a name for themselves by executing cookie theft malware to hijack various YouTube channels, then lure unsuspecting owners with bogus offers to broadcast cryptocurrency scams or sell the accounts to the highest bidder.
What you need to know:
When an attacker successfully steals a session cookie, they can perform any actions the original user is authorized to take. A danger for organizations is that cookies can be used to identify authenticated users in single sign-on systems, potentially giving the attacker access to all of the web applications the victim can use, like financial systems, customer records or line-of-business systems potentially containing confidential intellectual property.
How the attack happens:
After a user accesses a service and validates their identity, a cookie is stored on their machine for an extended period of time so that they don’t have to log in over and over. Malicious actors can steal web session cookies through malware, then import the cookie into a browser they control, allowing them to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email or perform actions that the victim’s account has permissions to perform.
Where the attack comes from:
Cookie theft is commonly accomplished through malware that copies the victim’s cookies and sends them directly to the attacker. The malware can land on the victim’s machine in any number of ways covered in this book, like phishing, macro viruses, cross-site scripting and more. Many hackers engaging in cookie theft belong to larger networks based in Russia and China. The actors behind the YouTube attack, for example, were found to have been part of a group of hackers connected via a Russian-speaking forum.
What Is Wire Attack?
While the SWIFT network has experienced fewer attacks since its infamous 2016 bank heist, cybercriminals are readily using wire transfers in new and creative ways to launch malicious, if not lucrative and creative cyber assaults. In one high-profile example in 2018, Frank Krasovec, an owner of Domino’s Pizza franchises in China, lost $450,000 when a fraudster intercepted his email and convinced his assistant to wire money to Hong Kong on two occasions. More recently in 2020, attackers targeted a bank manager in Hong Kong with a call that impersonated the voice of a director he knew via AI voice cloning technology. The cybercriminal impersonating the executive claimed his company was making an acquisition and requested that $35 million in funds be wired electronically to another account. Usually initiated with a phishing attack or malware, wire transfer attacks provide the vehicle for transferring copious sums of money quickly.
What you need to know:
Wire attacks are sophisticated schemes that send fraudulent high-value payments through international wire transfer networks. Often going beyond ordinary wire fraud, attackers can target banks in emerging markets with limited cybersecurity infrastructure or operational controls or lure high-profile targets with sophisticated and believable phishing scams. These cybercrime syndicates are after one thing: money. And lots of it.
How the attack happens:
In one attack scenario, cybercriminals use sophisticated malware to bypass local security systems. From there, they gain access to a messaging network and send fraudulent messages to initiate cash transfers from accounts at larger banks. In another attack scenario, the bad actors use targeted spear phishing campaigns that appear to be authentic in order to convince stakeholders to transfer large sums of money to their coffers.
Where the attack comes from:
Highly organized international and nation- state cybercrime groups, such as APT 38 and Lazarus Group, have historically been behind wire attacks. These groups have the necessary infrastructure and resources to successfully carry out complex and multi-faceted assaults. While it’s unclear who exactly is behind these groups, some reports have indicated that they might have ties to North Korea. But hacking groups from China and Nigeria have also been found to be at the source of elaborate wire transfer attacks. A note of caution: High-value wire attacks at institutions with more robust systems likely involve the use of insiders to gain access to systems.
What Is Zero-Day Exploit?
It’s hardly surprising that the number of zero day flaws continues on an upward trajectory. But 2021 blew all other years out of the water as malicious actors exploited a total of 58 new zero day threats, compared to 25 flaws in 2020 and 21 vulnerabilities in 2019. And no doubt the stakes are getting higher as critical systems become more connected. In recent years, hackers have used zero day attack threats to compromise Microsoft servers and install advanced spyware on smartphones for espionage activities targeting journalists, politicians and human rights activists. In August 2021, for example, a zero-day vulnerability known as “PwnedPiper” was found in the pneumatic tube systems used by hospitals to transport bloodwork, test samples, and medications, which allowed attackers to exploit flaws in the control panel software, while opening the door for unauthorized and unencrypted firmware updates.
What you need to know:
A zero-day vulnerability, at its core, is a flaw. It is a weakness within a piece of software or a computer network that hackers take advantage of soon (or immediately) after it becomes available for general use the term “zero” refers to the same-day window in which these vulnerabilities are abused.
How the attack happens:
A zero-day attack happens once the vulnerability is exploited. The nature of the vulnerability will affect how the attack is implemented, but zero-day attacks follow a pattern. First, the hacker (or groups of hackers working together) scan the code base for vulnerabilities. Once they find the flaw, they create code that exploits the vulnerability. They infiltrate the system (using one or more of the methods described in this book) and infect it with their malicious code, then launch the exploit.
Where the attack comes from:
The prevalence of technology has led to explosive growth in zero-day attacks. While these attacks can ostensibly be launched from anywhere, they often are proliferated via nation-states or regions with extensive cyber underworld networks and infrastructure. Recent reports have cited that the bulk of zero day threats in 2021 were sourced to hacking groups in China.