Cyberattacks

GET Request

Usually to request information.

Parameter of request passed to URL.

Good for non-sensitive information.

POST Request

For sending information

Parameter of request is hidden in the request body.

Good for sensitive or large amount of data.

Cross Site Scripting (XSS)

Forcing browser to execute a script in a web page/application

Malicious code being executed

Persistent vs non-persistent

HTTP Problem

Connection-less, lack of a state.

Web-app does know what has been done.

Everything is stored on the browser.

Non-persistent (reflected) XSS

Attacker forces user to click a malicious URL, served back to the server.

Attacking script is supplied by the victim.

Persistent (Stored) XSS

Attacker stores input on vulnerable server.

When user visits website, malicious code is served back

Storage of script in web-application

Reasons for XSS working

1. Clients trust servers.

2. Scripting is deeply embedded in web browsers, raising its power.

3. Lack of input sanitization.

Consequences for XSS

Session hijacking by reading document.cookie

Configuring pages to steal login information

Goal is to get a valid token.

Command Injection

Inject and execute attacker specified commands in a vulnerable application.

Defense against injection

Encode all user input.

Minimize database privileges.

Whitelist input validation on user supplied input

Parameter Encoding

Makes requests more digestible.

Requests are usually encoded.

Phishing

Email with malicious link/instructions

Redirects to genuine-looking site where credentials need to be filled.

SQL Injection

User-supplied input that executes database queries beneficial to attacker.

XSS Defenses

Signature-based filters blocking recognized attacks.

Input sanitization.

Limiting input to a maximum length.

XSS vs. Phishing

XSS is active and executes inside authentic application (personalization)

versus a cloned website or login page.

Broken Access Control

Vulnerabilities: parameter tampering, elevation of privilege, violation of least privilege

Prevention: deny by default, recording ownership, logging failures.

Cryptographic Failures

Vulnerabilities: weak crypto algorithms, unenforced encryption, lack of randomness

Prevention: encrypting all sensitive data, data in transit, authenticated encryption.

Injection

Vulnerabilities: lack of sanitization, hostile data directly used within ORM

Prevention: safe API, SQL controls within queries, server-side input validation.

Insecure Design

Vulnerabilities: broad category, many weaknesses

Prevention: secure development lifecycle, threat modelling, unit and integration tests for critical flows.

Security Misconfiguration

Vulnerabilities: software is out of data, unnecessary features available, error handling reveals stack traces.

Prevention: minimal platform, repeatable hardening process, automated process for effectiveness.

Targeted Attacks

1. Set up (host for command and control)

2. Gather intelligence about target (watering hole, exploit selection, phishing)

3. Choose right exploit (get foot in door)

4. Choose the right malware

5. Attack the target

6. Use it (laterally move)

Watering Hole Attacks

Gather intelligence on target, suitable sites to place dropper for infection.

Dropper contacts CC to download malware.

Malware does exploitation.

Lockheed Martin Cyber Kill Chain

1. Reconaissance

2. Weaponization

3. Delivery

4. Exploitation

5. Installation

6. Command and Control

7. Act on Objectives

Supervisory Control and Data Acquisition (SCADA)

Sends control commands to remote devices like PLCs.

Problems with SCADA

Isolated, no security in mind, hard to patch

Programmable Logic Controller

Processes commands sent by SCADA

Makes decisions on its control program to produce the required output.

Stuxnet

Phase 1: worm that spread, hides itself while waiting for phase 2.

Phase 2: attacks Siemens and PLC systems, updates PLC programming.

Phase 3: Sabotage, looks for specific factory environment, if found changes speed of centrifuges.

Havex

Spread through multiple vectors, email, watering hole attacks, infection of vendor websites and software.

Main goal: gather information and gain persistent access.

Detecting Havex

Detection when it performs a network stamp.

Detection of communication with C&C (difficult)

Industroyer

Malware specifically designed to attack energy companies.

Ukraine 2015

Stage 1: spearphishing with Blackenergy3 malware to steal credentials and reconfigure network.

Stage 2: Developed malware for distribution management system to open breakers and DDoS customer service.

Old-School Ransomware

Non-targeted attack

Several target, one computer held hostage at a time

Ransom in hundreds of dollars

New School Ransomware

Targeted attack, one target at a time

Whole organization is held hostage

Ransom can be in millions of dollars

Cryptolocker

File-encrypting ransomware, first showing replicable business case, using a double extension with hidden executables.

Petya

Reboots computer, encrypts master file table, hiding unencrypted files, asks for bitcoin as payment.

WannaCry

Worst ransomware in history, attacks used leaked hacking tools from the NSA

NotPetya (Virus)

Designed to win war against Ukraine, spreads using exploits like Eternal Blue and EternalRomance. Encrypts (destroys) everything and demands ransom but is not ransomware.

Shadowbrokers

Group that stole exploits like EternalBlue from NSA.

Garmin Hack

Use of WastedLocker (which makes programs useless until decrypted) to hold out for a $10 million ransom.

Norsk Hydro

Incurred a financial loss of $71 million.

Maastricht Attack

Randomly picked Maastricht then figured out what they could leverage.

Colonial Pipeline

Attack on pipeline system that led to a national emergency being declared.

Equifax Hack

Use of Apache vulnerability to steal personal data of 143 million consumers.

Bruce Schneier on Equifax Hack

1. Serious data breach that puts millions of Americans at risk.

2. Equifax was solely at fault.

3. Thousands of similar data brokers at risk.

4. Existing regulatory structure is inadequate.

Sophisticated DDoS

Done by professionals for marketing reasons.

Unsophisticated DDoS

Low cost DDoS for hire, booter services, paid by PayPal using a subscriber model.

Living off the land attack

intruders use legitimate software and functions available in system to perform malicious actions on it.

MFA fatigue

keep alerting the user, mistakes will be made

Vishing

Talking to the victim on the phone, trying to scam them

SIM Swapping

Stealing enough information from the target to convince the phone company to reissue the SIM

Advantages of Living Off The Land Attack

No need for specific malware.

Generally difficult to detect.

Disadvantages of Living Off The Land Attack

Speed

Cost

Zero-day exploit

Vulnerability in software or hardware that is not known to the vendor

Dedicated Leak Site

Website where illicitly retrieved data of companies that pay ransom are published.

2020 Breach

Supply chain attack on Microsoft cloud services and on SolarWind’s Orion software.

SolarWinds Attack

Large supply chain incident, use of Orion which has access to log and system performance data.

Advantage of software supply chain attacks

Infiltration of well-protected organizations by leveraging a trusted channel

Fast distribution: infections grow quickly

Targeting of specific regions or sectors

Infiltration of isolated targets

Difficult for victims to identify attacks as trusted processes are misused

May provide attacker with elevated privileges during installation

Supply Chain Attack

Targets a trusted third-party vendor or service provider in an organization’s supply chain.

Possible vectors for a supply chain attack

Software Dependencies - injecting malicious code into software updates or third-party applications.

Hardware Components - compromising physical hardware during manufacturing or distribution.

Third-party services - exploiting vulnerabilities in cloud providers, logistics partners, or outsourced services.

Key Characteristics of Supply Chain Attacks

Exploitation of Trust

Indirect Access

Complexity

Widespread Impact

Cryptojacking

Another party’s computing resources are hijacked to mine cryptocurrency.

NIS2

Builds on NIS1, new sectors, risk management

Software Bill of Materials (SBOM)

List of components in a piece of software.

EU Cyber Resilience and SBOM

Relies on SBOMs to ensure software dependencies meet cybersecurity standards.

Leverages SBOMs

EU Cyber Resilience Act

Mandatory Cybersecurity Requirements

Lifecycle Security Management

Penalties for Non-Compliance

Detecting Attacks

Rejection-based (negative model, blacklisting)

Acceptance-based (pisitive model)

Blacklisting and Signatures Pros

Low false positives

Use as blocking systems

information about what is being detected

no need for reconfiguring when system is being reconfigured

Blacklisting and Signatures Cons

Need to know the attack

No signatures possible for 0-day vulnerabilities

Impossible to have a good set of signatures for non-mainstream systems

Long time to create a signature

Signatures and heuristics are easy to evade

Whitelisting Pros

No need to know the attack to block it

Low false positives if configured correctly

Whitelisting Cons

Easy to circumvent unless very accurate

Expensive to set up and maintain

Reconfiguring of the system means reconfiguring of whitelisting (expensive)

Little information about attack

Quantitative Anomaly Detection

too many “things happening”

does not tell you what is going on

important for situational awareness, false positives

Qualitative Anomaly Detection

Detect when a single information unit is anomalous

Techniques: self-organizing maps, neural networks, n-gram analysis

Anomaly Detection Pros

Inexpensive

May allow you to see a 0-day attack

quantitative: situational awareness, interesting info

qualitative: doesn’t usually work, but is ideal when it does

Anomaly Detection Cons

applicability depends heavily on particular instance of target system

lots of false positives

gives even less information about attack than whitelisting, if they detect one

System-Centric Threat Model Fails

Cost of defense to Alice, attack to Charles

Charles is uncertain about worth of attack

Charles must compete against other attacks

Ignores scale

Ignores that attackers have better things to do

Reasons why attackers leave us alone

Low success rate

Low value

Attacks and attackers may collide often

Attack is expensive

SCADA Security

Encryption does not yield extra security

Encryption Problems

Can negatively affect security

Can complicate troubleshooting

Unfalsiability of Security Claims

Root reason of many of our policy errors

Difficult to exercise good judgement and be scientific in security

Common Rules on Passwords

1. Length

2. Composition

3. Dictionary membership

4. Don’t write down

5. Don’t share

6. Change

   1. Don’t reuse

Attacks on Passwords

Phishing

Keylogging

Brute-force attack

Bulk guessing

Special access attacks

BlackBox Approach

Using machine learning approaches, like neural networks.

WhiteBox Approach

Try to explain the semantics of the target system

Important reason why attacks are difficult to counter

present systems are so hard to monitor

Making secure systems

Making software more supervisable

Prompt Injection

Input prompts manipulation to influence or control behaviour of AI models

Tricking the model

Morris II

Worm designed to target GenAI ecosystems, prompt model to replicate input as output and engage in malicious activities.

As-a-service criminal model

Criminal products provided as a service, one product for whole chain

Fully fledged organization, hierarchical structure with up to 100 members

Conti Coders

Maintained malware code, back-end servers, and admin web panels

Conti Testers/Crypters

Developed proof-of-concept codes to bypass detection and provided feedback to coders

Conti Ransom Operators

Controlled all ransomware operations

Conti HR

Managed new hires and conducted online interviews

Recruiting for Conti

HR Department

Recruitment channels

Training and Onboarding

Roles and Responsibilities

Conti Delivery Mechanisms

Phishing emails

Malware Loaders

Cobalt Strike: lateral movement

Conti Additional Techniques

Double Extortion

Deleting Backups

Click Fraud

Attacker registers with Ad network

uses infection systems to generate clicks on sourced advertisement, 20-30 million USD value

Finance and Banking

Pump and dump, cheap stocks to inflate price and sell

Scareware

Combination of social engineering and malware infection

Convince user they need to buy a product

Exploit-as-a-service

Platforms to deliver malware, dropping malware on machines

Money mules

relay for ban/money transfers, promise of retaining a compensation

receive and re-send expensive goods used to convert stolen credit to merchandise