Cyber Threats

Malware
Malicious code inserted into a system to cause damage or gain unauthorized access to a
network

Adware
As you navigate the web, you notice lots of ads popping up all over the place. There are
so many popping up on your screen that it’s actually slowing down the webpage and
increasing page load times.

It’s clear this computer has adware. Adware is unwanted software designed to throw
advertisements on your screen. While not overly malicious on the surface, sometimes
adware can come bundled with other, more harmful malware. With enough adware on
your machine, this could become a real performance issue.

Your Suggestion

• You tell your client to make sure to not click on any strange links or download any
untrustworthy files.
• A trustworthy antivirus software could also help with this issue.

Virus
A virus is a malicious self-replacing application that attaches itself to other programs and
executables without the permission of the user. It’s possible a downloaded virus could
alter or delete data on the computer.

If the virus was able to access or alter data, the confidentiality and integrity of that data
is now in question.

Your Suggestion

Just like with adware, avoid suspicious links and install trustworthy antivirus software.
Immediately report suspicious emails to your IT department and never open them.
Worms
Rather than a virus, which needs to be attached to a file or application to spread, you may
have found a worm.

A worm is self-replicating code that copies itself from computer to computer without user
intervention. This worm could be just as dangerous as a virus.

The worm could also replicate so much that it overloads your client’s system. By doing
this, the worm could bring down the system and violate availability.

Your Suggestion

• Follow the previous suggestions for adware and viruses.

• Monitor the computer for any unexpected changes! Is it slower than usual? Is there
less hard drive space than expected? Have files mysteriously appeared or
disappeared? These could all be signs of worms.

Spyware
Spyware is malicious code downloaded without a user’s authorization which is used to
steal sensitive information and relay it to an outside party in a way that harms the original
user. If the spyware contained a keylogger, a program that can record what a victim types
into their computer, a threat actor could potentially gain access to sensitive information.
This means any sensitive data, like passwords, will soon be in the hands of a malicious
third-party. While spyware usually isn’t used to alter data, it definitely violates the
principle of confidentiality. A malicious actor may have been spying on sensitive data your
client was typing.
Your Suggestion
• Noticing a trend? Be careful what you click on and install that trustworthy antivirus
already.
Trojan Horses
While similar to Spyware, the Trojan Horse, sometimes just called a “Trojan”, does more
than just monitor what’s happening on a system. Trojans are a type of contained, non-
replicating malware that disguises itself as legitimate software in order to allow scammers
and hackers access to a user’s system.

this malware snuck right onto your client’s computer while pretending to be a legitimate
antivirus software!

Your Suggestion

• Be wary of disk or computer cleaners as well as unknown antivirus software. Trojan

horses often pretend to be trustworthy software in order to convince you to
download them onto your machine.

Rootkits
Scanning the device, you find that this horrible device just keeps getting worse; the
Trojan horse was used to sneak a rootkit onto the system.

Rootkits are a collection of malicious programs that secretly provide continued,

privileged access to a system for an unauthorized user. A rootkit can create a backdoor
on a computer to let a hacker in. This rootkit was able to gain admin access to this
computer, and it will be incredibly hard to remove.

In this case, the Trojan Horse pretended to be a trustworthy antivirus software in order
to install a rootkit. This means that a malicious, third-party somewhere has admin
access to this computer and its data. This is a nightmare scenario for the confidentiality
and integrity of your client’s system. While some specialized tools can remove a rootkit,
it isn’t easy.

Your Suggestion

• Back up any important data on this system and reimage it.

Ransomware
The rootkit allowed someone access to this computer. What did they do with that
access? You realize that the rootkit was used to deny the user access to files on their
system that contain lots of important company data.

If the malicious actors block access to data or threaten to publish the sensitive data
unless the client pays them money, that could be a case ransomware. The use of
ransomware has been skyrocketing as threat actors have realized it’s safer and easier to
rob a virtual location rather than a physical one! Ransomware is one of the largest
cybersecurity threats facing industries today.

Your Suggestion

• Regularly back up important files.

• Have a procedure in place for ransom requests. They should include a step in
which the authorities are alerted.

Fileless Malware
Fileless malware is a type of malware that ‘lives off the land’ and uses legitimate tools
and the user’s operating system to perform malicious activities like privilege escalation,
data collection, and more. It’s incredibly hard to detect and almost always missed by
antivirus software.

Unlike a Trojan Horse, fileless malware is not pretending to be legitimate software, it

actually is a part of legitimate software. Fileless malware hides itself within the code of
legitimate software, often altering existing code to make it malicious.

Certain programs, like Microsoft PowerShell, are particularly vulnerable to these attacks.
Someone could use this attack vector to gather data, use your device resources to mine
cryptocurrency, or even install other malware.

Your Suggestion

• Did you download that antivirus yet? Still avoiding those suspicious links?
• Disable command-line applications and macros not in use on the device.
• Keep your applications and system up to date for the latest security updates.
• Reboot the computer.
Review
• Malware
Malicious code inserted into a system to cause damage or gain unauthorized access
to a network.

• Adware
Unwanted software designed to throw advertisements on your screen.

• Virus
A malicious self-replacing application that attaches itself to other programs and
executables without the permission of the user.

• Worm
Self-replicating code that copies itself from computer to computer without user
intervention.

• Spyware
Malicious code downloaded without a user’s authorization which is then used to
steal sensitive information and relay it to an outside party in a way that harms the
original user

• Trojan Horse
A type of contained, non-replicating malware that disguises itself as legitimate
software in order to allow scammers and hackers access to a user’s system.

• Rootkit
A collection of malicious programs that secretly provide continued, privileged access
to a system for an unauthorized user.

• Ransomware
Malicious code that will block a user’s access to data or threaten to publish sensitive
data until they pay money to the malicious actor.

• Fileless Malware
A type of malware that ‘lives off the land’ and uses legitimate tools and the user’s
operating system to perform malicious activities like privilege escalation, data
collection, and more. It’s incredibly hard to detect and almost always missed by
antivirus software.
Phishing
All types of phishing rely on social engineering to get a victim to take some action, but
there are different methods and targets beyond email, for example:

• Vishing
(from “voice phishing”) which refers to the spam calls in which an attacker claims
to be from a victim’s bank or law enforcement and tries to extract information.
• Smishing
from “SMS phishing”) is when an attacker attempts to do the same thing over text
message, by sending a malicious link.
• Webpages, which we’ll discuss in this article.

Phishing is also categorized by who it targets. Many phishing campaigns send out mass
spam emails to individuals and organizations, hoping to catch a victim in a wide net. But
sometimes, an attacker has a specific target in mind and sends that target a dedicated,
personalized email. This is known as spear phishing. If the target is extremely sought after,
like the CEO of a company, it is known as whaling.

Email Spoofing
Email spoofing refers to when an attacker falsifies their email headers to make it appear
as though the email is coming from someone else. Spoofing is a common component in
phishing emails, used in as many as 90% of email fraud attacks.

When you write and send an email using a programming script, you can configure the
email headers to be whatever you want - meaning that an attacker can put any email as
the “sender”, even yours. In order to really see what is going on in an email, you can
download it and open it in a code editor.

• Detection Techniques

You can open developer tools on any buttons in an email to see where they are taking
you. Developer tools is a cybersecurity expert’s best friend. It can reveal many secrets
that attackers don’t want you to see.
Zero-Day Attacks
A “zero-day” (also called “0-day”) vulnerability is a newly-discovered software bug that a
developer was not aware of before the software was released. Therefore, after it is
discovered, the developer has “zero” days to patch it before it can be exploited. When a
“zero-day attack” occurs, the vulnerability quickly becomes known and is patched by the
developer.

Finding and Classifying Vulnerabilities

The vast majority of cyber-attacks exploit existing vulnerabilities. These vulnerabilities are
catalogued and numbered as CVEs, or “Common Vulnerabilities and Exposures” and are
maintained in places like the Mitre Corporation’s database or the National Vulnerability
Database (NVD).

DDoS
DDoS stands for Distributed Denial of Service. A DDoS attack is when an attacker attempts
to make a resource, such as a website’s various servers, go offline by overwhelming it
with web traffic. How does an attacker do this? They make requests to a resource with a
large number of computers, overwhelming the resource and making it run slower and
slower until eventually, it goes offline entirely.

Because an attacker must use a large number of computers, the attack is “distributed”
across multiple devices. The goal is to knock the resource offline so that it “denies
service”; hence the name “distributed denial of service”.

But where does an attacker get all of these computers from? Large websites are equipped
to handle thousands of visits per day, so it takes a lot of web traffic to overwhelm them.
This traffic comes from botnets.

Botnets are “robot networks” made up of computers infected by malware. These botnets
can be made up of millions of bots and can even include IoT devices. A single attacker can
spread malware to many devices, and then use all of those devices in concert to act
together, oftentimes without the victims ever knowing that their devices are infected.
Types of DDoS Attacks
Different types of DDoS attacks target different network layers, specifically, layers 3, 4,
and 7, known respectively as the Network, Transport, and Application layers. Different
DDoS attacks target different layers in different ways.

For example, one attack that targets the application layer is called “HTTP Flooding”. This
is because the attacker sends lots of HTTP requests — the kind of requests your browser
makes when you visit a webpage. In effect, it is like refreshing a website over and over
again, making a server load content repeatedly until it becomes overwhelmed.

On the other hand, “SYN Flooding” targets the Transport layer by taking advantage of
something called a TCP Handshake. This is like a large group of people all asking the same
person to hold something for them, but no one ever takes their item back, until the person
holding everything eventually becomes overwhelmed.

Fighting DDoS
• rate-limiting
limiting the number of requests a server will accept in a single time.

• CAPTCHAs
a CAPTCHA can determine whether a user is a human or a “bot”, allowing
legitimate web traffic to attempt to log in while blocking malicious automated
traffic.

In general, it is difficult to guard against DDoS attacks. This is why websites seek
protection from organizations such as Cloudflare, which provides protection against DDoS
attacks by sitting between the server and the client, and forwarding legitimate traffic to
the server while hiding malicious traffic. However, the rise of Cloudflare and similar
protective services has raised other ethical issues, as these services can protect (and profit
from) illicit and/or terrorist organizations, raising the question of whether all sites deserve
equal treatment.