A cyber attack is an attempt to harm computers, computing systems, or networks without any authorization. The purpose of the cyberattack is to disable, disrupt, destroy, or control the computing systems or change, block, delete, manipulate, or steal the data inside the systems. Cyber attacks can range from installing malware on a personal computer to national security issues. There are two types of attacks: Active Attacks and Passive Attacks. The differences between active and passive attacks can be summarized below:
|Active Attack||Passive Attack|
|Dangerous for||Integrity and Availability||Confidentiality|
|Types||Types of active attacks are:
-Modification of messages
-Denial of Service
|Types of passive attacks are:
The person who executes the cyber attacks are called cybercriminals. Cybercriminals have different motives behind their actions. For example, they can steal data or money for financial gain, take revenge on a current or previous job, draw attention to themselves for social or political purposes, espionage, or take unfair advantage against competitors. Also, it can happen for a challenge. Every year millions of devices are affected by cyber-attacks. Considering that the use of computer systems is increasing day by day, cyber attacks increase exponentially. For example, due to COVID-19, cybercrime has increased by 600%.
Today we are going to talk about what a cyber attack is. Our first topic is the most common types of cyber attacks. Next, we will talk about the worst cyber attacks in history, and finally, we will be talking about the prevention of cyber attacks. Let's start!
This image visualizes the common cyber attack types which are described in this blog post.
Phishing is one of the oldest methods of stealing user data, such as login passwords and credit card details, through email. It's still a problem in businesses of all sizes. It happens when a hacker acts as a trustworthy entity and tricked a victim into opening an email in order to manipulate them into doing actions like installing a malicious file, clicking a malicious link, or sharing critical information like access credentials. The most popular type of social engineering is also phishing.
- Email Phishing: Most phishing attacks are sent via email. Attackers usually create fake domain names that seem like legitimate companies and send victims hundreds of repetitive requests.
- Spear Phishing: This phishing attack type is also sent via email. It is designed to target specific persons or groups in order to get personal information or infect their devices with malware.
- Whaling: This type is the same as spear phishing, but it differs from spear-phishing in that it targets high-profile, well-known, and wealthy individuals – CEOs, top-level executives, even celebrities.
- Vishing: This one is also aimed at stealing personal information over the phone, not by email.
- Smishing: On this one fraudsters use mobile phone text messages for the same purposes.
- Angler Phishing: This one is a new type of phishing attack that targets social media users. Attackers use social media to impersonate a customer service agent in order to get access to a client's personal information or account credentials.
A brute-force attack is a password cracking technique used by cybercriminals to find out account credentials, especially passwords. In a brute-force attack, the attacker will often have a dictionary of common keywords and passwords that they would use to "guess" the password of a user. Until they find out the correct login information, the hacker tries various usernames and passwords, usually using a tool to try a wide range of combinations.
- Simple Brute Force Attacks: An attacker can guess a user's password by combining known information about the user to enter a series of values. This could be due to information found online or a social engineering attack.
- Dictionary Attacks: A dictionary attack is a type of brute force hacking in which the attacker chooses a target and then tries potential passwords on the user's account.
- Hybrid Brute Force Attacks: When a hacker combines a dictionary attack technique with a simple brute force attack, it's called a hybrid brute force attack. It starts with a hacker knowing a username, followed by a dictionary attack and brute force methods to find an account login combination.
- Reverse Brute Force Attack: Reverse brute force attacks use a common group of passwords or an individual password against a list of potential usernames rather than a single username.
- Credential Stuffing: Users often reuse passwords across multiple websites. When an attacker gets access to a user's password on one site, the attacker will attempt the same passwords on other sites.
A denial-of-service (DoS) attack tries to disrupt a network or resource by overloading it with fake traffic, preventing users from accessing the targeted service.
- Distributed denial-of-service (DDoS): DoS attacks used to be limited to a single system attacking another. While a DoS attack today may be carried out in a similar way, the majority of modern DoS attacks include a large number of systems under the attacker's control, all targeting the target at the same time.
- Network-targeted denial-of-service: The hacker will try to consume all available network bandwidth so that normal traffic to and from the targeted computers is blocked.
- System-targeted denial-of-service: Depletion of resources is a popular attack vector in which the attacker purposefully consumes limited system resources (e.g. memory, CPU) in order to disrupt the target's normal operations.
The SQL injection attack is using malicious SQL queries to exploit application vulnerabilities.
- In-band SQLi: When an attacker can initiate an attack and gather results using the same communication channel, this is called In-band SQL Injection.
- Out-of-band SQLi: Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.
- Inferential (Blind) SQLi: When the attacker cannot view the results of the SQLi attack since the web application database is not delivering the data it is called Inferential SQLi. As a result, the attacker sends queries and attempts to create the database's structure by analyzing the web application's response and the database's activity.
Cross-site scripting (XSS) is an exploit in which an attacker embeds code on a website that activates when the victim accesses it. Malicious code can be injected in a variety of methods.
- Reflected XSS: The malicious script comes from the current HTTP request.
- Stored XSS: The malicious script comes from the website's database.
- DOM-based XSS: The vulnerability exists in client-side code rather than server-side code.
RCE vulnerabilities allow an attacker to execute arbitrary code on a vulnerable remote device.
- Injection Attacks: The attacker supplies flawed input with the intention of making it processed as part of the command. This can be used to manipulate the regular commands that are performed on the vulnerable machine.
- Deserialization Attacks: Serialization is a technique for combining multiple pieces of data into a single string so it can be transmitted or communicated more easily. The deserialization tool may read specially prepared user input by the attacker, within the serialized data as executable code.
- Out-of-Bounds Write: On a regular basis, apps assign fixed-size memory pieces for storing data, including user-provided data. If this memory allocation is done incorrectly, an attacker could exploit this to create an input that writes outside of the allocated buffer. Because executable code is also kept in memory, the application may be able to execute user-provided data if input is written in the correct form by the attacker.
Apache Log4j Vulnerability also known as Log4Shell (CVE-2021-4428), is a critical vulnerability that uses the core function of Apache Log4j2 and allows unauthenticated remote code execution.
The vulnerability allows an attacker to:
- Access all data or the entire network through the affected device or application
- Run code
- Access files
In the United States, the exploit was called "critical" and advised vendors to prioritize software updates. Germany called the exploit as being at its highest threat level, calling it an "extremely critical threat situation". Canada called on organizations to take on immediate action.
The vulnerability could be mitigated by disabling the feature that caused the vulnerability with a configuration setting that was removed in Log4j version 2.15.0-rc1 (officially released on December 6, 2021, three days before the vulnerability was published) and replaced by various settings restricting remote lookups. All JNDI-based features will be disabled by default, and support for message lookups will be removed starting with version 2.16.0. You can read more about it here.
SUNBURST is a supply chain attack that uses a backdoor inserted in a supplier to indirectly target and hack businesses all over the world. The attackers hide a Trojan successfully in a software update of the SolarWinds Orion software and pushed this update to about 33,000 public and private clients. Federal government organizations were among them.
The attack was found eight months after the first breach, in December 2020. It had an influence on US government agencies, technological firms, and nations like Canada, Belgium, the United Kingdom, and Israel.
SUNBURST attack flow is as follows:
- Initial penetration
- Evading detection
- C2 (command and control)
- Lateral movement
The attackers showed great secrecy and patience, and instead of taking action rashly, they moved forward by prioritizing operational security. This is what made this attack unique. The full scope and impact of this event are still to be determined, but it could still cause significant disruption to the software development and cybersecurity industries.
WannaCry is a ransomware cryptoworm that encrypts (locks) data on computers running the Microsoft Windows operating system and requests ransom payments in Bitcoin cryptocurrency. WannaCrypt, Wana Decrypt0r 2.0, WanaCrypt0r 2.0, and Wanna Decryptor are all names for the worm.
According to Europol, the ransomware campaign was unprecedented in scope, with an estimated 200,000 computers infected across 150 countries. Russia, Ukraine, India, and Taiwan were the four countries most affected, according to Kaspersky Lab.
Economic losses from the cyber attack could reach up to $4 billion, according to cyber-risk modeling firm Cyence, with other groups estimating losses in the hundreds of millions.
WannaCry spreads by jumping from corporate networks to other Windows systems. Computer users do not have to click on a link or open an infected file, unlike in phishing attacks. WannaCry simply searches for other vulnerable systems to penetrate (in some versions, stolen credentials are used), then copies and executes the program over and over. As a result, a single vulnerable computer on a corporate network can put the entire company at risk.
Cybersecurity steps to prevent a WannaCry ransomware attack:
- Install the latest software
- Perform backups
- Cybersecurity awareness training
There are various ways to protect ourselves from cyber attacks. You should take personal precautions to be protected. In addition to that, there are various management tools that companies can use to protect their end devices.
Some of the most common and useful recommendations to prevent cyber attacks for individuals are:
- Use a strong password: If your password is too short, or contains dictionary words, then it can be easily cracked through guessing or brute force. The easiest way to make a strong password is by making it at least 12 characters. Alternatively, use a password generator to create a long, strong random password.
- Don't reuse passwords: If someone reuses a password, and that password leaks on another site, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. This is common, but it's simply avoidable by using different passwords for online accounts.
- Use a secure password manager: For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores, and auto-fills your login credentials for you. All your passwords will be encrypted using 1 master password. You should select a strong password and remember only that password. An example password manager and the recommendation of PurpleBox is 1Password. 1Password is a password manager developed by AgileBits Inc. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a master password.
- Enable multi-factor authentication: MFA is where you must provide both your password and your chosen authentication method to log in. This means that if anyone has got your password through an attack, they will not be able to log into your account without your MFA device or account. You can download an authenticator app onto your phone or enable MFA through email or phone. Next time you log in on a new device, you will be prompted for the code that you get.
- Ensure websites you visit are legitimate: When using online resources, double-check if the URL is correct. When visiting new websites, look for common signs that could show if the website is unsafe: Browser warnings, redirects, on-site spam, and pop-ups. Also, check for HTTPS. If you enter information on a non-HTTPS website, it travels the Internet unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website.
- Watch out for browser malware: Your system or browser can be compromised by various malicious parties, such as spyware, miners, browser hijackers, malicious redirects, adware. You can usually stay protected just by ignoring pop-ups and being careful about you’re clicking, don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware are: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors, and pages loading much slower than usual.
- Only install apps from trusted sources: Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading files from unverified sources, unless you are sure that they are safe. Also check the reviews and the app information before downloading it.
- Keep your system up to date: New vulnerabilities are constantly being discovered. System updates contain fixes and patches for these new issues that usually enhance performance, and sometimes add new features. You should install new updates when prompted to avoid your system being exploited.
- Be cautious about USB devices: Think before inserting a USB device into your PC, as there are many threats that come in the form of a USB device. For example, a USB Killer can destroy your computer by rapidly charging and discharging capacitors. A Bad USB will act as a keyboard, and once plugged in, it will proceed to rapidly type commands, often with severe consequences. There are remote access tools that give a hacker full remote access to your PC, even after the device has been removed. And of course, there are traditional USB drives that contain malware that infect your device once inserted. To prevent being subject to such attacks, avoid plugging in devices from unknown sources.
- Use Virtual Cards when paying online: There are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, however they do not prevent websites from collecting and sometimes selling your transaction history. A better option would be to pay with a virtual, 1-time card. Virtual card numbers let you pay for items without revealing your banking details. This will mean even if those credentials are compromised, a hacker will not be able to use them. You can also set spending limits or create single-use cards to prevent being over-charged. This means you cannot be charged more than what you specified.
Sophos: Sophos is a good, low-cost antivirus. it's got near-perfect malware detection rates, all the basic features most users need to keep their devices secure, and a couple of cool extras. Sophos Endpoint Protection makes it simple to secure your Windows, Mac and Linux systems against malware and other endpoint threats. Sophos integrates proven technology like malicious traffic detection with real-time threat intelligence to help you prevent and detect threats with ease. Web, application, and peripheral access policies can be applied to registered users.
Sophos Anti-Virus detects and cleans up viruses, Trojans, worms, and spyware, as well as adware and other potentially unwanted applications. The Host Intrusion and Prevention System technology of Sophos can also protect your computer from suspicious files.
Datto: Datto Remote Monitoring and Management (RMM) is a fully-featured, secure, cloud-based platform that can be used to remotely secure, monitor, manage, and support endpoints to reduce costs and increase service delivery efficiency. Datto RMM consists of two separate applications: the web interface and the Agent. The Datto RMM Agent is a lightweight software program installed on a device. The Agent gathers up-to-date information about the device's health and status and communicates it to the Web Portal. Having the necessary information ready in the Web Portal, the Datto RMM administrator can use the Agent to proactively monitor the devices, deploy patches, push out policies, create alerts and tickets, execute scripts, run scheduled jobs, or even enable a remote connection to these devices.
The Agent Browser allows you to:
- Take a screenshot of the endpoint or open a remote takeover tool
- Open a command shell on the remote device or access its Service Manager, Task Manager, File Manager, Registry Editor, or Event Viewer
- Shut down or restart the remote device
- Deploy an Agent to devices on the remote network and wake up those devices
- Run quick jobs on the remote device
Qualys: Qualys is a commercial vulnerability and web application scanner. It helps businesses simplify IT security operations and lower the cost of compliance. Its integrated suite of security and compliance solutions provides organizations of all sizes with a global view of their security and compliance solutions.
Qualys solutions include continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, and more. It can be used to proactively locate, identify, and assess vulnerabilities so that they can be prioritized and corrected before they are targeted and exploited by attackers. Qualys can also be used to scan for vulnerabilities in web applications. The Qualys Web Application Scanner (WAS) focuses on web application vulnerabilities, such as the industry-standard Open Web Application Security Project Top 10 list, to categorize the most critical risks faced by web apps. The Qualys Web Application Scanner finds these vulnerabilities.
In this blog, we have summarized what a cyber attack is and explained the most common types of cyber attacks. We talked about the worst cyber attacks in history and finally listed some recommendations to prevent cyber attacks.