Technology-based Attacks

What is Malware

Malware is malicious software that is designed to cause harm to a system.

Virus

•  A virus is any malicious code that usually attaches itself to a program, file or service.

• Viruses are designed infect your system and unleashes its payload.

• Viruses requires human interaction to be activated for it to start working and infecting the system.

Macro virus

• Within Microsoft Office allows users to create macros on their document files which allows a user to insert additional functionality into the office document.

• Macros viruses attaches itself on these office documents and executes when the unaware user opens an infected office file.

Boot sector virus

• The boot sector virus is designed to infect the boot section on the victim's hard disk drive.

• If the boot section has this type of virus, when the system boots up, this virus has the potential to compromise all aspects of the victim's systems such as the software and hardware components.

Attachments

• Hackers commonly send phishing emails with attachments.

• These attachments may be an infected file that is designed to compromised an unaware user.

Polymorphic virus

• A polymorphic virus is designed to constant change its state and coding to evade threat detection systems.

• When the virus changes its coding, the function remains the same.

Worms

• Worms are a type of malware which is self-propagating which means it can spread on its own.

• Worms does not require any human interaction, it can function and operate on its own.

• Worms are designed to affect the usability of a system by exhausting the computing resources.

Fileless virus

• This type of virus does not exist as a file and does not have a virus signature.

• It is designed to run on memory on a victim' systems.

• Traditional antivirus applications may not be able to detect this type of threat on a system.

Rootkits

• This is a type of malware which is designed to gain privilege access on a compromised system.

• A rootkit is very difficult to detect by anti-malware application since a rootkit sits at the kernel-level of an operating system.

Keyloggers

• A keylogger is an application that capture all the input of a victim's keyboard.

• Hackers use keyloggers to capture sensitive information that is being typed by the victim.

• Keyloggers can be either software or hardware-based.

Trojan

• A trojan is a type of malware which is disguised to look like a legitimate program.

• A hacker creates a trojan to trick a victim into downloading and executing the malicious file.

• When the trojan is executed, the malicious payload is unleashed in the background.

• Trojans as usually used to create a backdoor into a victim's system.

Backdoor

• A backdoor is usually created on a victim's system by a trojan virus.

• The backdoor allows a hacker to gain access to the victim's system using a backdoor approach.

Logic Bomb

• This is a type of malware which remains in a dormant state until some type of action is triggered.

• The logic bomb can be triggered based on time, date and user's actions on the system.

Ransomware

• This is a type of crypto-malware which is designed to encrypt the data on the hard disk drive.

• The ransomware will encrypt all the data on the hard drive except the operating system as it needs a way to presents a payment window for the victim to pay a ransom.

• It's never recommended to pay the ransom as there is no reassurance the threat actor will provide the decryption key.

Bot and Botnet

• When a hacker compromised a system, a robot (bot) is implanted to ensure the hacker has remote control over the system.

• A group of bots, which are infected systems all controlled by the threat actor is known as a robot network or a botnet.

• The threat actor does not directly control each individual bot but rather setup a Command and Control (C2) server on the internet which is used to interact with the entire botnet.

Remote Access Trojan (RAT)

• This is a type of trojan which allows the threat actor to remotely control the compromised system.

Spyware

• Spyware is a type of malware which is designed to infect, monitor and report the victim's activities back to the threat actor.

Potentially unwanted programs (PUPs)

• This is any unwanted software or application that is installed on your system.

• Sometimes when installing an application, additional 3rd party applications may also be installed on the user's system.

Domain Name System (DNS)

• Domain name system (DNS) is used to resolve a hostname to an IP address.

• When a user attempt to connect to a system with Fully Qualified Domain Name (FQDN), the user's system will query it's DNS server for a record which has the IP address for the FQDN.

• The DNS Server will respond to the client with the IP address of the FQDN.

• The client will then use the IP address to connect to the remote server.

• If the DNS server does not know the IP address for a DNS Query, the DNS server will query the Root DNS server for the domain.

DNS poisoning

• In a DNS poisoning attack, the attacker sends a fake DNS response containing the information of a FQDN that matches a fake IP address.

• The fake DNS response is cache on the DNS server, when any user performs a query to the DNS server for the specific FQDN, the DNS server will provide the fake IP address.

• This type of attack causes the user to be directed to a different website.

DNS hijacking

• In a DNS hijacking attack, the attacker is able to change the DNS server settings on the victim's system.

• This causes the victim's system to send queries to a malicious DNS server which contains bogus DNS records.

• This causes the victim's system to be redirected to fake and malicious websites.

• Keep in mind, this type of attack is where the DNS server is the malicious component.

Domain Hijacking

• In this type of attack, the threat actor takes ownership of a legitimate domain and modifies the associated IP address for the domain name.

• The attacker is also able to move the compromised domain to a register that is preferred by the threat actor.

Layer 2 attacks

• These are various types of attacks which affects the Data Link layer of the OSI reference model and the TCP/IP protocol suite.

• These type of attacks usually occur on an internal network as the attacker attempts to exploit vulnerabilities within Layer 2 protocols.

• At layer 2, devices exchange frames using source and destination MAC addresses.

Address Resolution Protocol (ARP)

• On a local area network (LAN), devices uses MAC addresses to communicate with each other.

• If a sender device knows the destination IP address but not the destination MAC address, it will broadcast a ARP Request message on the LAN to ask who has the MAC address of the destination IP address.

• To put simply, the ARP is used to resolve IP address to MAC address for devices on a local network to communicate.

Protocol (ARP) poisoning

• In an ARP poisoning attack, an attacker is on the local network and sends gratuitous ARP messages which contains bogus IP to MAC address details.

• When a victim device receives the gratuitous ARP message, it will process the message update its local ARP cache.

• This will cause the victim device to forward messages to a different destination host rather to the legitimate destination device.

• An attack can use this technique to cause a the victim device and the default gateway to send their traffic to the attacker's machine, creating a Man-in-the-Middle (MiTM) attack.

Media access control (MAC) flooding

• In this type of attack, the attacker attempts to flood the switch a lots of bogus frames contains unique source MAC addresses.

• Since each switch as a certain memory size to store unique MAC addresses, a MAC flooding attack will attempt to overflow the switch's memory.

• Once the switch memory is filled, if more unique source MAC addresses are flooded to the switch, it will operated in a fail-open state.

• In a fail-open state, any inbound message on the switch will be forwarded out of all other ports on the same switch.

• An attack can also capture any messages that are being flooded out of the switch to look for any sensitive data.

MAC cloning

In a MAC cloning attack, the attacker can change (spoof) the MAC address of another device onto their network interface card (NIC).

This type of attack allows a threat actor to pretend to be another machine on the network.

Denial of Service (DoS) attacks

• A denial of service (DoS) is designed to interrupt the availability of a system, network, resource or facility.

• In a DoS, the attack is launched from a single geographic location to a target system.

• Security engineers can simply stop the attack because its originating from a single location (IP address).

Distributed denial-of-service (DDoS)

• In a DDoS, the attack is originating from multiple geographic locations while attacking a single target.

• This an amplified version of a DoS and is more difficult to stop a DDoS attack.

Reflected DDoS

• In a reflected DDoS attack, the threat actor spoofs the target's IP address.

• The threat actor then uses the spoofed source IP address to flood messages to a public server.

• When the public server receives the messages from the threat actor, it will respond to the spoofed IP address which belongs to the actual target.

• Therefore, the target will receive the flooding of message from the unaware public server.

Amplified DDoS

• In an amplified DDoS attack, the may use a botnet to flood unsolicited messages to multiple public servers using the spoofed IP address of the target as their source IP address.

• This attack is a combination of a reflected and an amplified DDoS.

Coordinated DDoS

• In this type of attack, its more than one system that is all working together to create a DDoS attack against a target.

• It can be multiple threat actors controlling the systems to perform the attack.

Man-in-the-Middle (MiTM)

• A MiTM attack is where the attacker sits in-between network traffic looking for any sort of confidential data passing along the network.

• The attacker intercepts the traffic between a victim device and its destination.

• The attacker uses this of attack to gather sensitive information that is being sent along the network.

Man-in-the-browser (MiTB) attack

• In this type of attack, the threat actor attempts to inject malicious payloads from a victim's web browser to a web application.

• The attacker can steal session information, session cookie data, and even exploit a vulnerability on the web application.

Wireless-based attacks

• Many organizations has a wireless network which allows users to connect their wireless-enabled devices to access the resources on the wired network.

• Threat actors can perform various types of wireless attacks, to gain unauthorized access and even gather information of the network traffic.

Rogue access point

• In a rogue access point type of attack, the attacker will create a fake access point.

• This will trick users into connecting to the rogue access point where the attacker can intercept and redirect their traffic.

Evil Twin

• In this type of wireless attack, the threat actor creates a fake access point which has the Service Set Identifer (SSID) as the target network.

• This is trick employees into connecting the evil twin access point where the attacker is able to intercept the traffic, gather sensitive information and redirect the traffic.

Disassociation

• In a disassociation attack, the threat actor can send specially crafted IEEE 802.11 messages to the target access point which will force associated clients to disassociate from the access point.

• This is a type of denial of service (DoS) attack and a threat actor may use this attack to force clients to associate to the evil twin access point.

Initialization Vector (IV)

• An initialization vector (IV) is a random string that is generated by the system to perform encryption of IEEE 802.11 messages on a wireless network.

• The IV (random value) is combined with the secret key (constant value) to create an additional layer of security during the data encryption process.

• Without the IV, encrypting data with the secret key will allow attackers to observe similarity on the output (ciphertext) and therefore allow the threat actor to perform reversing techniques to determine the secret key.

• This type of attack is usually successful on wireless networks which uses the Wired Equivalent Privacy (WEP) security standard as it uses a 24-bit IV.

Radio frequency identification (RFID)

• Radio Frequency Identification is used on badges to access areas on a compound.

• RFID is used on anything that needs to tracking.

• RFID badges don’t have a power source, a RFID reader can be used to power the card when the card is placed very near to RFID reader.

• Attackers can read the data on an RFID tag and create signal jamming.

Near-field communication (NFC)

• Near field Communication allows two devices to exchange data within very close proximity .

• NFC is used to established a Bluetooth connection automatically

• Attacker can capture the signal by perform eavesdropping.

• An attacker can capture the signal from a victim's device and relay the signal to a NFC reader.

Jamming

• In a wireless jamming attack, an attacker creates a wireless signal which operates on the same frequency of the target wireless device.

• When two or more signals on the same frequency is operating within the same proximity, one signal creates interference for the other signal.

Bluesnarfing

• In a bluesnarfing attack, the attacker attempts to intercept the messages that’s are being sent between sender and receiver device.

Bluejacking

• In a bluejacking attack, the attacker sends unsolicited messages to a Bluetooth-enabled device.

Password attacks

• Threat actors perform various password attacks against the authentication system of a device.

• The intent is to retrieve a valid user credential to gain unauthorized access.

• Password guessing may word but it's very time consuming.

Brute force attack

• In a brute force attack, every possible of combination is tried against the system.

• This is a very time consuming process as every possible combination is used until the password is retrieved.

Dictionary attack

• In a dictionary attack, a large wordlist is used to check against the target system.

• Each word from the wordlist is tested, however the attack will not be successful if the password does not exist within the wordlist.

Rainbow Table

• A rainbow table is a very large table which contains pre-computed hashes of passwords for a target system.

• The pre-computed hashes helps hackers to reduce the time to retrieve the password of a system.

• A single rainbow table can be the size of an entire hard drive.

Password Spraying

• This is a techniques of using a single password and trying against multiple user accounts.

• This technique allows a hacker to determine a single password is commonly used between multiple users on a network.