4. Cyberattack 1 – Attack Classification
Cyberattack 1:
Attack Classification
CITS3004
Alvaro Monsalve
1
1. Attack trends
2. Classification
2.1. Social engineering
2.2. Cracking
2.3. Malware
2.4. Zero-day
Agenda
2
• Before the Internet, the only way to conduct
“cyberattack” is via physical access
– But the computational power at the time was lacking, did not
store much things to steal
• TCP/IP was designed in early 1980s
– IPv4
• Today, TCP/IP is used everywhere
– LAN, MAN, WAN, etc
– Various applications (voice, multimedia etc)
3
How did it all started?
There are many events that contribute toward attack
trends
– More people using the Internet
– Increase in software complexity
– Availability of attacking tools
– Dependability on cyberspace
– Lack of security implementation/deployment/adoption
4
1. Attack Trends
5
Attack Trends
Source: NIST: US Department of Commerce
?
6
Attack Trends
Howard Lipson. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. CERT Coordination Center. Nov. 2002
7
Attack Trends
Sophos 2021 Thread Report https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
8
Attack Trends
Sophos 2021 Thread Report https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
9
Attack Trends
The 2021 Crowdstrike Global Thread Report https://www.crowdstrike.com/
https://www.crowdstrike.com/
10
Attack Trends
The 2021 Crowdstrike Global Thread Report https://www.crowdstrike.com/
https://www.crowdstrike.com/
• Attacks are evolving with time
– Deepfakes
• Deepfake image, voice etc.
– AI-powered cyberattacks
– Disinformation in Social Media
– Vehicle cyberattacks
– Cloud jacking
– Etc…
11
Attack Trends
https://us.norton.com/internetsecurity-emerging-threats-cyberthreat-trends-cybersecurity-threat-review.html
https://us.norton.com/internetsecurity-emerging-threats-cyberthreat-trends-cybersecurity-threat-review.html
What issues do cyberattacks bring?
A. Technological
B. Economic
C. Sociological
D. Psychological
E. Legal
12
Attack Trends
Why do people carry out cyberattacks?
A. Status and fame
B. Illegal financial gain
C. Espionage
D. Political and social reasons
13
Attack Trends
}For example, ransomwares
}CryptoWall made over $130mil USD
}WannaCry made $130,000USD (June 2017)
Main techniques used are (but not limited to):
– Port-based
– Malicious email
– Buffer overflow
– Malicious web-based
– (Distributed) Denial of Service
14
2. Attack Classification
Attacks can be classified into:
1. Social Engineering
2. Cracking
3. Malware
4. Network Layer Attacks
5. Web-based Attacks
6. (Distributed) Denial of Service Attacks
7. Zero-day
15
Attack Classification
This week
Next week
The week after
You can of course use other classification methods
Persuasion-type of an attack to disclose sensitive
information
– E.g., phishing attack
– Persuade to install/execute malicious software
– Links to bogus website (e.g., spoofed bank website)
– Impersonating legitimate user to retrieve credentials
– Impersonating technical support member
16
2.1. Social Engineering
Is it effective?
– Given 0.1% success rate, send the phishing email to 1
million users -> 1000 users compromised
– 91% of cyberattacks start with a phishing email*
– Stuxnet, RSA breach all started with a phishing email
17
Social Engineering
*https://cofense.com/enterprise-phishing-susceptibility-report
Phishing attack is a mass distribution of a spoofed emails
– Comes from what it seems to be well known organisations
• Such as banks, insurance, retailers, credit card etc.
– Looks legitimate, but leads to fake or bogus sites
– Asking for personal credentials
– They are evolving!
• Less grammar/spelling mistakes
• More in context
• target-oriented contents
• Focused targeting is called “Spear Phishing”
18
Phishing
19
Phishing
Not so good one
20
Phishing
21
Phishing
https://www.mailguard.com.au/blog/new-year-new-phishing-ato-email-scam
Real or Fake?
22
Phishing
Real or Fake?
• Attack that redirects a website’s traffic to another website
• The browser may still display the web address you wanted,
but the content may not be correct
• DNS tampering to redirect the traffic to a different website
without users knowing
• What you are viewing is fake,
even though it looks real
23
Pharming
WHAT IF I TOLD YOU
THAT THIS ISN’T REAL?
• DNS server can be
manipulated
Or
• DNS lookup table on
the user’s computer
can be manipulated
24
Pharming
1
2
3
4
5
Attacker
User
DNS Legitimate
Site
Fake Site
• Microchips can be embedded on
USB lines.
• When plugged in, they are detected
by the US as a human interface
device (HID)
– E.g. mouse, keyboard etc
• You can control those malicious USB
lines via WiFi!
25
Offensive USB
Link to the video in additional materials
Phishing in physical domain
• Establishing frameworks
• Asset management
• Security protocol implementation and evaluation
• Security education
• Security review
• Trust establishment
26
Social Engineering –
Mitigation
• Conducting malicious activities to guess, corrupt or
steal information
• “Unethically exploits the highly sensitive information
and uses the flaws in the security systems”*
27
2.2. Cracking
*https://www.educba.com/hackers-vs-crackers/
Cracker – Uses the flaws in the security systems
Hacker – Finds and exploits flaws in the security systems
• Password guessing or using Password cracking tools
– Brute force and dictionary attacks
– Use of tools such as
• CRACK – www.pwcrack.com
• L0phtcrack – www.l0phtcrack.com
• John the Ripper www.openwall.com/john/
• Other password (and bunch of other security) tools
www.securityfocus.com/tools/
28
Cracking
http://www.pwcrack.com/
http://www.l0phtcrack.com/
http://www.openwall.com/john/
http://www.securityfocus.com/tools/
• Packet Sniffers
– Packet sniffing tools are used widely and legitimate tools
for network analysis
• E.g., Microsoft Protocol Analyser
• E.g., Wireshark
– Can also be used illegitimately
– Usually for monitoring IP packets
29
Cracking
30
Cracking
• Ensure your password is strong
– https://howsecureismypassword.net/
• Store salted hash of the password
• Close unused ports
• Ensure secure programming
• Enforce encryption
• Security education
• Multi-factor authentication
31
Cracking – Mitigation
https://howsecureismypassword.net/
• Short for malicious software
• Includes
– Viruses
– Worms
– Spyware
– Trojan Horses
– Rootkits
– Ransomware
– Etc…
32
2.3. Malware
• Malicious program that spreads through the network by
infecting various files
• Infected files will execute the malicious program without the
user knowing first, and then run the normal program
• Viruses will also replicate itself by replacing other executable
files by attaching the malicious program
• Many viruses spread through file sharing
– E.g., email attachments, USB sharing, FTP, downloads etc.
– Requires the infected files to be transferred to other hosts
33
Virus
• Viruses come in many forms:
– File infector viruses
– Boot sector viruses
• System area, memory area, or both
– Macro viruses
• Viruses mutate:
– Oligomorphic – using multiple decryptors. E.g., Whale
– Polymorphic – mutate certain part of itself. E.g., Virut
– Metamorphic – rewrites all (or most) of itself. E.g., Zmist, Virlock
34
Virus
35
Oligomorphic Virus
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTT
WWWWWW
WWWWWW
WWWWWW
WWWWWW
WWWW
EEEEEEEEEEE
EEEEEEEEEEE
EEEEEEEEEEE
EEEEEEEEEEE
EEEEEE
Enc
ryp
tio
n 1
Encryption 2
Encryption 3
Same
Decryption 1
Decryption 2
Dec
ryp
tion
3
Detection
36
Polymorphic Virus
BBBBBBBBB
BBBBBBBBB
BBBBBBBBB
BBBBBBBBB
BBBB
UUUUUUUU
UUUUUUUU
UUUUUUUU
UUUUUUUU
UUUU
FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFF
En
cry
pti
on
1
Encryption 2
Encryption 3
Some difference
Decryption 1
Decryption 2
Dec
ryp
tion
3
Mutation
37
Metamorphic Virus
Different!
Mutation
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTT
VDKSLFREAT
RNEAOFDUS
AFEWAFNEL
AFDMVSHDA
IOVAFD
• New version of Silex released 2019 targeting IoT
devices
– So far, bricked over 2000 IoT devices
• What does it do?
– Remove storage
– Remove iptables
– Remove network configurations
38
Virus – Silex
Halting the device!
• Steps taken in the attack
1. Enumerate accessible IP addresses
2. Identify all Unix-like systems
3. Attempt default login credentials
4. Access all disk partitions via fdisk -l
5. Then delete network config
6. Next, run rm –rf / to delete everything else
7. Finally, flush all iptables and add DROPS to all connections.
39
Virus – Silex
• Antiviruses
– Scanning email attachments
– Checking virus activities (signatures and/or anomaly detection)
– Examples include Norton, McAfee, Trend Micro, Symantec, Sophos etc.
– Incorporate sandboxing, AI, data mining, machine learning etc.
• Access restriction
– Remote access control
– Firewalls
– Email filtering
40
Virus – Protection
• Focuses on spreading through the network
• Exploits various network vulnerabilities to spread itself
– Unprotected shared drives
– FTP vulnerabilities (typically buffer overflow)
– E.g., Ramen, Lion, Code-Red, Conficker
• May also release viruses upon opening
– E.g., MyDoom.A -> backdoor and DoS
– E.g., MyDoom.B -> MyDoom.A + block access to antivirus sites
41
Worm
• “Virus does not intentionally try to spread itself from that
computer to other computers. In most cases, that’s where
humans come in”
• “Worm is a program that is designed to copy itself from one
computer to another over a network (e.g., by using e-mail).
The worm spreads itself to many computers over a network”
42
Worm vs Virus
http://www.symantec.com/avcenter/reference/worm.vs.virus.pdf
Slammer worm
– Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm
– January 25 2003, approx. 5.30am (GMT)
– Infected 75,000 victims
– Spread world-wide in under 10 minutes
– Doubled infections every 8.5 seconds
– 376 bytes long
– Buffer overflow in Microsoft SQL Server and Desktop Engine products
– DoS on some Internet hosts, general Internet slow down
– Patch was released 6 months before the worm, but many did not applied
43
Worm – Slammer
• Propagation technique
– A single UDP packet (only 376 byte payload)
– Target port 1434 (Microsoft SQL monitor)
– Keep sending itself to random IP addresses
– Once host identified running unpatched MS SQL server, it
is infected immediately
44
Worm – Slammer
45
Worm – Slammer
In 30 minutes!
• Patching up-to-date
– Applications and operating systems
• Security education
– do not click suspicious links
– Run executable files or programs
• Antivirus and anti-spyware software
• Firewall
46
Worm – Protection
• Malicious advertising
• Spread of malware through advertising
• Sometimes, just viewing can affect your system
• About 10 billion ads were malvertisement in 2012*
• In 2017, Google blocked 79 million ads with redirection and
removed 48 million ads trying to install unwanted software#
47
Malvertising
*Online Trust Alliance (2012-07-29). “Anti-Malvertising Resources”. Online Trust Alliance. Retrieved 2013-05-25.
#https://www.csoonline.com/article/3373647/what-is-malvertising-and-how-you-can-protect-against-it.html
https://otalliance.org/resources/malvertising.html
https://www.csoonline.com/article/3373647/what-is-malvertising-and-how-you-can-protect-against-it.html
• Many different ways they can get in:
– Pop-up ads
– Web widgets
– Hidden iframes
– Malicious banners
– Third-party advertisement
– Etc.
48
Malvertising
49
Malvertising
Malvertising!
50
Malvertising
1. User visits a site.
Can be legitimate or
bogus.
2. Hosts ad from a 3rd
party to generate
revenue
3. Sends ad, but
contains malware
4. The malvertisement
is viewed by the user
Ad
Malvertising can be “hidden” from
the user by creating invisible boxes
• Keeping up-to-date software and OS
• Antivirus and other malware protection methods
• Browser extensions alerting malvertising campaigns
51
Malvertising – Protection
• Variety of meanings including key loggers unsolicited
commercial software, scumware, Trojan horses etc.
52
Spyware
• Actions on computer is monitored and captured by adversaries
• Can be software or hardware
• Strong passwords are no longer effective
• Use:
– Anti keyloggers, antivirus, anti-spyware
– Monitor malicious network traffic
– Security tokens
– Automatic form fillers etc.
53
Spyware – Key Loggers
• Unsolicited commercial software are installed
without user’s intensions
– E.g., Piggyback software
• May contain spyware to snoop
user activities
• Always check what you are
agreeing to install
54
Spyware – Unsolicited
Software
• Refers to any malicious code that entered the system
without the user’s consent or permission
• Scumware can significantly changes the appearance
and functions of websites without permission
– Guiding to bogus websites for further malware infection
• Use anti-spyware and network filtering
55
Spyware – Scumware
56
Harvesting Personal
Information
Name
Address/geography
Place of work
Name of bank
Ebay/PayPal
Family information
Friend information
Highly focused
customised social
engineering attack
• We just trust them too much
– Chrome Incognito mode still allow third parties to collect data
https://www.wired.co.uk/article/google-chrome-incognito-mode-privacy
– Facebook listening in on user conversations (up to very recently)
https://www.scmp.com/news/world/united-states-canada/article/3022682/facebook-
admits-listening-transcribing-users
– Microsoft listening on Skype calls
https://www.scmp.com/news/world/united-states-canada/article/3021896/microsoft-
admits-its-workers-listen-your-skype
– Apps collect your data even you deny permissions
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-
after-you-deny-permissions/
57
Harvesting Personal
Information
Q: Is this okay or not?
https://www.wired.co.uk/article/google-chrome-incognito-mode-privacy
https://www.scmp.com/news/world/united-states-canada/article/3022682/facebook-admits-listening-transcribing-users
https://www.scmp.com/news/world/united-states-canada/article/3021896/microsoft-admits-its-workers-listen-your-skype
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/
• Trojan, or Trojan Horse, is different to viruses and worms
– Do not infect files
– Do not spread
• Allow attackers to access user’s device remotely
• Has client and server applications
• User can unintentionally download and install on the system
– E.g., email attachments, file sharing, free software online etc.
• Attackers can also directly install
– E.g., physical access
58
Trojan
• Example: Zeus (2009)
– Stole banking information using keylogger
– Affected systems through downloads and phishing
– Compromised over 74,000 FTP accounts on websites
of companies (June 2009)
• Such as Bank of America (BoA), NASA, Oracle, Cisco, Amazon etc.
– Zeus botnet estimated millions of compromised computers
• Largest botnet on the Internet
– Also used for installing CryptoLocker ransomware
59
Trojan
Not me
• Best defence is safe computing practices
– Don’t trust what you get from the Internet
• Trojan Horses can come from unsolicited executable
e-mail attachments from recognised senders
– do not open if you are not sure
• Use file integrity monitoring systems
– E.g., Tripwire
60
Trojan – Mitigation
• Looks legitimate, but conducts malicious behaviours
• Used to obtain the root privilege
– But also hide its elements such as processes, files, and network
connections
• Have access to modify existing software
– Including tools to remove it
• Rootkit types include:
– Firmware (Persistent) – hides in firmware
– Kernel-mode – hide from kernel list of active processes
– User-mode – runs along with other applications
61
Rootkits
• Possible to hide spyware or virus that will not be
detected by traditional antivirus products
• F-Secure BlackLight Rootkit Eliminator
– www.f-secure.com/blacklight
– www.systernals.com
• Published Rootkits
– www.rootkit.com, eg AFX, Vanquish, HackerDefender
62
Rootkits – Mitigation
• A bot is an application that runs automated tasks over
the Internet
– E.g., web crawlers
• A botnet is a collection of connected devices that runs
one or more bots
• Botnet can deploy various types of attacks
– E.g., DDoS, spamming
– But also stealing data and accessing bots
63
Botnet
1. A botnet operator infects users
2. The bot on the infected PC
communicate back to the
command-and-control server
3. A spammer purchases the services
of the botnet from the operator
4. (a) The spammer provides the spam
messages to the operator
(b) The botnet operator uses bots to
send out the spam message
64
Botnet
https://commons.wikimedia.org/wiki/File:Botnet.svg
• Zero-day attacks take advantage of software
vulnerability for which there are no available fixes
• Attacks take advantage of flaws before software
makers can fix them
• Has become significant issue from 2008 on
• Emphasises importance of safe configuration policies
and good incident reporting systems
65
2.4. Zero-day
• Attackers are getting faster at discovering and
exploiting flaws
• For example: the Blaster worm (2003)
– Released August 2003, patch released January 2004
– Used buffer overflow, and also launched DDoS against
windowsupdate.com (but not very successful as it was
redirected to windowsupdate.microsoft.com)
66
Zero-day
67
Zero-day
http://securityaffairs.co/wordpress/wp-content/uploads/2013/12/zero-day-vulnerability-life-cycle.jpg
http://securityaffairs.co/wordpress/wp-content/uploads/2012/10/TimeLineZeroDay.jpg
68
Zero-day
Internet Security Threat Report – Symantec (2015)
Number of disclosed Zero-day Vulnerabilities
• According to the Zero Day
Initiative, 135 vulnerabilities
were discovered in Adobe
products during the first 11
months of 2016 and 76 in
Microsoft products.
Meanwhile, the number of
zero-day flaws in Apple
products doubled over the
previous year, to 50 from 25.
69
Zero-day
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017
• A few techniques exist to detect zero-day attacks:
– Statistical-based:
• This approach to detecting Zero-Day exploits in real time relies on
attack profiles built from historical data.
– Behaviour-based:
• This model defence is based on the analysis of the exploit’s interaction
with the target.
– Hybrid-based:
• As the name suggests, this approach is a blending of different
approaches.
70
Zero-day: detection
Symantec “Guide to zero-day exploits” 2017 –
https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/datasheet/Guide_to_Zero_Day_Exploits.pdf
https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/datasheet/Guide_to_Zero_Day_Exploits.pdf
• www.cert.org (main index by year)
• www.securityfocus.com (bugtraq)
• www.symantec.com
• www.caida.org (analysis of propagation etc)
• technet.microsoft.com/en-us/security/bulletin
71
Keeping Up-to-Date
• Computer Emergency Response Team
– www.auscert.org.au (Australia)
– www.nzcert.org.nz (New Zealand)
– www.apcert.org (Asia-Pacific)
– www.cert.org/advisories (US)
– www.singcert.org.sg (Singapore)
– www.hkcert.org (Hong Kong)
– www.krcert.or.kr/english_www/ (South Korea)
– www.ccert.edu.cn/about_us/index_en.htm (China)
– www.jpcert.or.jp/english (Japan)
72
CERT
• Common Attack Pattern Enumeration and Classification
– https://capec.mitre.org/index.html
• USB hacking video
– https://twitter.com/i/status/1094389042685259776
• Virus Timeline
– https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms#2010%E2%80%93present
• 8 famous viruses
– https://uk.norton.com/norton-blog/2016/02/the_8_most_famousco.html
• Zeus phishing email
– http://www.salisbury.edu/helpdesk/security/latest/phishing_attempt__4122012_VariousZeusbot.html
• Document analysis cheat sheet
– https://zeltser.com/analyzing-malicious-
documents/?fbclid=IwAR3d2de5lJfacOaHBtR5RbtPCW7QFccv18LOjAHGAPW4N99PubT951EGRSc
73
Additional Items
https://capec.mitre.org/index.html
You like wifi in your malicious USB cables?
The O•MG cable
(Offensive MG kit)https://t.co/Pkv9pQrmHtThis was a fun way to pick up a bunch of new skills.
Not possible without help from: @d3d0c3d, @cnlohr, @IanColdwater, @hook_s3c, @exploit_agency #OMGCable pic.twitter.com/isQfMKHYQR
— _MG_ (@_MG_) February 10, 2019
https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
https://uk.norton.com/norton-blog/2016/02/the_8_most_famousco.html
http://www.salisbury.edu/helpdesk/security/latest/phishing_attempt__4122012_VariousZeusbot.html