I can talk all day about the different types of cyberthreats that businesses face on a daily basis. In fact, Daniel and I have written multiple blogs on the subject. But it’s still often difficult for businesses to understand the ins and outs of how attacks work, how to recognise them, and how they can protect against them. Sometimes you just need to see an attack in action to understand how specific attack types work, the impact that they can have, and the preventative measures that you can take.
That’s why I’ve pulled together some examples of attacks that have taken place over the past few years.
Here are 10 Examples Of Cyber Attacks
Malware In Action
Malware is malicious software that gets installed on a machine. There are a number of ways that this can happen – clicking on a malicious link in an email, visiting a dodgy site, or downloading a movie that happens to have malware attached to it. And from there, attackers have free reign. They can extract or corrupt data, monitor keystrokes to gain access to your usernames and passwords or use your machine to gain further access to company assets.
Because malware is an overarching term for any malicious software, you may have heard of (or experienced) some of its forms in the past without even realising it. Trojans, viruses, and computer worms are all types of malware, each with its own unique style of attack.
Take, for example, the Trojan virus known as Emotet which caused havoc for a German hospital in 2018. All it took was a single employee opening a malicious email attachment, and the Trojan was planted. From there it spread to 450 machines within the hospital, all of which had to be taken offline until they could curb the attack. While it’s unclear what the malware’s goal was, aside from spreading itself to other machines within the hospital, the Trojan has serious consequences. Emergency cases had to be diverted to alternative hospitals for the 6 days that it took to bring the computers back online.
In another case, Storm Worm was spread over a million machines back in 2007, when a malicious mail that claimed to be a weather report on the severe storms that were happening in Europe was shared far and wide. The malware that the email contained would install itself and gain access to contact lists, and user details, and even launch Denial of Service attacks to bring company servers to a standstill.
Phishing In Action
Malware and phishing often go hand-in-hand. But that doesn’t mean that all phishing emails contain malware, or that malware is only spread through phishing. It’s important to both understand and distinguish between the two attacks.
Often confused with spam, which is simply unsolicited emails, phishing mails can have a number of agendas. Phishing attackers might encourage you to click on a link, to download an attachment, or they might simply try to gain your trust by impersonating someone you know – a friend, a colleague, or even a family member. Some phishing mails look like legitimate emails from a company you trust, asking you to pay an invoice, for example. But the invoice itself will have banking details that you’re not familiar with. This is because phishing attackers often sit inside a system, waiting for the right time to strike. Once an email address has been compromised, they can simply wait for an invoice to be sent from that address, and replace the attachment with one of their own, leading to the wrong recipient being paid.
In fact, when Elara Caring in the US came under attack in March 2021, spying is exactly what the attacker did. After sending a phishing email to two employees, the attacker spent a week within the healthcare company’s system. They gained access to personal details like social security numbers, financial details like bank account information, and insurance details for over 100,000 patients. And yet they never transferred any data or installed any malware. Part of the reason for this was the company’s quick action in changing passwords and adjusting access permissions, curbing the attack until their systems could be secured.
Ransomware In Action
Where the goals behind the malware can vary, from stealing user details to corrupting information, or simply causing chaos for users, ransomware has a very specific target in mind. The name says it all. Attackers hold data for ransom, extorting businesses with the threat of either deleting information, or releasing personal and financial details onto the web, resulting in a data leak that has a severe impact on a company’s reputation. In most cases, business operations grind to a halt without access to data, and the longer a company stays offline, the more effective the ransomware attack will be considered by the attacker, since the likely result is that the company in question will be more willing to give in to their demands.
With ransomware being one of the most popular methods of attack over recent years, there are plenty of examples that abound. One of the most publicised ransomware attacks occurred in May 2017, when hundreds of thousands of machines running Microsoft Windows became infected with the WannaCry ransomware. It would encrypt files on the infected machines and attackers would demand payment in Bitcoin from their victims in order to have their data decrypted.
But while WannaCry may be the most well-known form of ransomware, has affected so many Microsoft users, it’s certainly not the only ransomware threat out there. For example, 2019 saw the city of Baltimore in the USA being hit by ransomware known as RobbinHood. The attack resulted in over $18 million of costs, while city activities like tax collection and even government emails ground to a halt.
Zero-Day Exploits In Action
Many cyber attacks rely you to take action – opening a malicious email, clicking on a link or attachment, or downloading malicious software (even if you don’t know that you’re doing it). But Zero-Day exploits rely on you not taking action. Specifically, they rely on the fact that most people hate installing updates. They’re inconvenient, forcing you to shut down or restart your machine at the most frustrating of times. And this means that most people ignore them until they can’t stand the reminders any longer and finally give in.
The trouble with this is that whenever a vulnerability in your operating systems, apps and software is discovered, two things happen almost immediately. The developers who created the system will try to find a way to fix it, and attackers will try and find a way to take advantage of it. Once a fix has been found, patches are released to keep your systems secure. But these fixes often take time, and this is where Zero-Day exploits come in.
A Zero-Day attack or exploit takes place immediately after a vulnerability has been discovered, often before the developers even know about it. They use the opportunity to infiltrate and attack systems, and the longer it takes for a patch to be developed (or the longer it takes you to install it), the more time they have to cause havoc.
There are two perfect examples of this in action. The first occurred in Iran back in 2007, when attackers made use of the vulnerability in the Siemens Step7 software that was being used to control machinery for the country’s nuclear weapons program. They took advantage of the vulnerability to install a Stuxnet worm on the machines. The result was that attackers got the programmable logic controllers (PLCs) to perform unexpected operations on assembly line machinery, resulting in centrifuges being sabotaged and the program grinding to a halt as they were unable to separate nuclear material.
A second example of a Zero-Day exploit in action can seen in the attack that RSA experienced back in 2011. A vulnerability was discovered in Adobe Flash Player, and attackers used this to install the Poison Ivy remote administration tool on a number of the company’s machines. From there, they gained access to and transferred sensitive information about the company’s two-factor authentication products, resulting in further access to devices and data that used RSA’s services, all before Adobe had the chance to release a patch for the vulnerability.
Brute Force Attacks in Action
I cannot stress enough the importance of password security. One of the easiest ways for cyberattackers to gain access to company data is by gaining access to user passwords. And while a number of the attacks that I’ve gone through so far can result in an attacker getting access to passwords, there is a much more ‘effective’ attack that provides them with access to hundreds, thousands, and, in the case of the attack on Alibaba, millions of passwords at a time.
It’s called a Brute Force Attack, and it involves an attacker writing a script that guesses thousands of passwords every second. And, since so many users use the same password across every one of their platforms, from there the attacker can gain access to innumerable sites and immeasurable data.
This is exactly what happened to users of the Alibaba website. The site was targeted with a Brute Force attack, and attackers guessed the usernames and passwords of 99 million users. How did they manage to get so many? One of the main reasons is that a huge number of users were making use of the same password.
Every year, security websites post lists of the most common passwords, warning readers not to use them. The reason behind this is that these popular passwords are the first that attackers will use during a brute force attack. Login credentials that are secured by the word ‘password’ or ‘password1’, for example, are all too easy to log into. It means that all the attacker needs are a username since the password is entirely insecure.
On top of the number of duplicated passwords, many users were using the same password for other platforms, which meant that as soon as the attackers learned their password for Alibaba, it was easy for them to access those users’ email accounts, contact lists, and gain even further sensitive information.
Man In The Middle Attacks in Action
Daniel, Elizabeth, and I have all written in the past about why accessing public WiFi is a terrible idea unless you’re using a VPN. This is where Man-In-The-Middle attacks thrive. It’s the perfect opportunity for an attacker to gain access to information without the target even being aware of their presence. The reason for this is that public wireless networks are inherently insecure. They are made accessible to large numbers of people, and there is no telling who is on the network and what they’re up to. Plus, when you aren’t in control of the wireless setup, there’s no telling how the traffic travelling across the network is encrypted, and not all encryption is equal. Some are far easier to hack than others, and these are often the ones that public WiFi providers make use of.
But what exactly is a Man in the Middle attack? It’s when an attacker either eavesdrops on traffic that is being submitted, gaining access to information simply by monitoring what others are doing or steps in and redirects traffic for their own purposes. If, for example, you are visiting a website while on a public WiFi network, an attacker could intercept the traffic and redirect you to their own website. You think that you’re logging into Facebook (for example) when in reality you’re logging into a page that looks like Facebook but will instead just send your Facebook credentials on to the attacker.
There are plenty of examples of Man-in-the-Middle attacks out there, but two immediately come to mind. The first is a group known as DarkHotel which targets powerful people such as politicians, government leaders, and business executives using hotel WiFi. They intercept the traffic, forge security certificates, and then download malware or spyware onto the target’s machines, allowing them to intercept further communication and gain access to sensitive information.
But WiFi isn’t the only way that Man-in-the-Middle attacks occur. You may recall that earlier in this article I mentioned that phishing attacks don’t always happen immediately. Often attackers will simply install monitoring software and then wait for the opportune moment to strike. This is also a Man-in-the-Middle attack, and one of the most famous occurred in December 2019 when attackers conned a Chinese company into paying them $1 million instead of the Israeli startup that it was intended for. All that it took was intercepting communications between the two companies, and the attackers were able to insert themselves into the transaction, defrauding the Chinese business into routing the capital into their own bank account, rather than the intended recipient’s.
What Can You Do About Cyber Attacks?
Now that I’ve looked at just a few examples of the types of cyber attacks that can impact your business, it should make it easier to recognise an attack when it occurs. But what comes next? How can you protect your business against these attacks and others, and what should you do when an attack occurs?
First and foremost, it’s important that you have a Disaster Recovery Plan (DRP) in place. This should include keeping secure backups of your data and having a way of retrieving the data if it becomes compromised, as in a ransomware attack. Your DRP should also include steps that your business should take when a suspected attack takes place. Who should your teams report phishing mails to? How often should they be installing updates and security patches? These are all questions that an effective and thoroughly researched DLP will take into account. In fact, we’ve put together a Disaster Recovery Plan Checklist with all of the scenarios that your DLP should cover.
Second, and I cannot stress this enough, make sure that your employees are using Multi-Factor Authentication (MFA), and are taking password security seriously. A secure password, combined with MFA will make it almost impossible for an attacker to gain access to user accounts without also accessing their email address, machine, or cellphone.
Finally, partnering with the right managed IT services company can mean the difference between falling victim to an attack, and avoiding one. Not only do managed IT service providers like Solid Systems offer access to around-the-clock IT helpdesk, but we also put measures in place to monitor network activity and detect unauthorised or suspicious access before it has the chance to compromise your business.
We work with you to secure your business in a way that ties into your overall company goals. We want to see you stepping into the future with confidence and embracing technology, not shirking away from it because you’re worried about security. That’s why we make your business’ security our top priority.