Computer System Vulnerabilities Exploited by Hackers

As technology evolves, so do the methods of those looking to exploit it. Hackers, equipped with an ever-expanding toolkit of techniques, continually find new vulnerabilities in computer systems. Understanding these vulnerabilities and how they are exploited is crucial for anyone involved in cybersecurity. This newsletter delves into the top vulnerabilities commonly exploited by hackers, shedding light on the tactics used and how organisations can protect themselves.

1. Phishing Attacks

Phishing remains one of the most prevalent methods hackers use to exploit computer systems. Phishing involves tricking individuals into providing sensitive information, such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity.

How Phishing Works

1. Email Phishing: Hackers send out emails that appear to be from legitimate sources like banks, social media platforms, or colleagues. These emails often contain links to fake websites designed to steal personal information.
2. Spear Phishing: Unlike generic phishing, spear phishing targets specific individuals or organisations. Hackers research their targets and craft personalised messages that increase the likelihood of success.
3. Clone Phishing: In this variant, a legitimate, previously delivered email is copied, but its content is altered to contain malicious links or attachments. The altered email is then sent from an address resembling the original sender.

Notable Phishing Exploits

·? United States Marshals Service: This federal law enforcement agency experienced a major ransomware attack compromising sensitive law enforcement data and personal information of individuals associated with USMS investigations.

·? 3CX Supply Chain Attack: In March, North Korean actors compromised the 3CX Private Automatic Branch Exchange platform. This supply chain attack affected a VoIP software development company used by over 600,000 organizations globally. The attackers inserted malicious code into the 3CX endpoint clients, which were downloaded as updates by the users.

·? Mailchimp Breach: In January, Mailchimp suffered a breach through a social engineering attack that allowed hackers to access 133 customer accounts. The data exposed included names, emails, and web addresses, affecting customers such as WooCommerce and FanDuel?

·? Twitter Data Leak: A dataset containing information on 200 million Twitter users, including email addresses and usernames, was found circulating on criminal forums. This exposed the identities of users who may have wished to remain anonymous, raising concerns about targeted phishing and doxxing attacks?

·? Deezer Data Breach: A hacker posted data on over 200 million Deezer users, including personal information such as full names, dates of birth, and location data. Although passwords were not included, this information could be exploited for phishing and identity theft?

The RSA Attack (2011): A spear-phishing email with a malicious Excel attachment led to the compromise of RSA Security’s systems. This attack ultimately allowed hackers to steal data related to RSA’s SecurID two-factor authentication products, impacting numerous clients worldwide.

Google and Facebook (2013-2015): A Lithuanian hacker tricked employees of these tech giants into wiring over $100 million by posing as a legitimate supplier.

Preventing Phishing Attacks

1. Education and Training: Regularly train employees to recognise phishing attempts.
2. Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails.
3. Multi-Factor Authentication (MFA): Require MFA to add an additional layer of security, making it harder for hackers to gain access even if they obtain login credentials.

2. SQL Injection

SQL Injection (SQLi) is a type of cyber-attack where hackers exploit vulnerabilities in an application’s software by injecting malicious SQL statements into entry fields for execution.

How SQL Injection Works

1. Input Field Exploitation: Hackers find input fields that allow SQL queries to interact with a database (e.g., login forms, search bars).
2. Malicious Code Insertion: By inserting specially crafted SQL code into these fields, hackers can manipulate the database. This can result in unauthorised viewing of data, data modification, or even deletion.

Notable SQL Injection Exploits

·? MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362): The MOVEit Transfer software, used for managed file transfers, was hit by a zero-day SQL injection vulnerability. This flaw was actively exploited by the CL0P ransomware group to exfiltrate sensitive data from vulnerable servers. The exploit involved deploying a custom ASP.NET web shell to maintain persistence on compromised networks.

·? WP Fastest Cache Plugin (CVE-2023-6063): A critical SQL injection vulnerability was discovered in the WP Fastest Cache plugin, affecting over 600,000 WordPress websites. The vulnerability allowed attackers to exploit unsensitised user input, specifically the 'username' value extracted from cookies, leading to unauthorised access to sensitive database information?

·? LayerSlider WordPress Plugin: The LayerSlider plugin, used on over one million WordPress sites, was found to have an unauthenticated SQL injection vulnerability. This critical flaw necessitated urgent updates from site administrators to prevent potential exploitation?

·? Moodle Platform (CVE-2023-30944): Moodle, a popular learning management system, was affected by an SQL injection vulnerability due to insufficient sanitisation of user-supplied data in its Wiki module. This allowed remote attackers to execute limited SQL commands within the application database

Sony Pictures (2014): SQL Injection was used as one of the attack vectors in the infamous breach that led to the leak of unreleased movies and personal information of employees.

Heartland Payment Systems (2008): A major payment processor was breached via SQL injection, compromising over 130 million credit card numbers.

Preventing SQL Injection

1. Parameterised Queries: Use parameterised queries or prepared statements which separate SQL code from data.
2. Input Validation: Rigorously validate and sanitise all user inputs to ensure they do not contain malicious SQL code.
3. Web Application Firewalls (WAFs): Deploy WAFs to detect and block SQL injection attempts.

3. Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks occur when an attacker injects malicious scripts into content from otherwise trusted websites. These scripts can then be executed in the browsers of users who visit the compromised sites.

How XSS Works

1. Injection: Attackers find a way to inject malicious scripts into web applications. This often happens via input fields, comment sections, or other forms of user-generated content.
2. Execution: When a user visits a compromised page, the malicious script executes in their browser, potentially stealing cookies, session tokens, or other sensitive information.

Notable XSS Exploits

• MySpace (2005): Samy Kamkar used XSS to create a worm that added over a million friends to his MySpace profile and caused significant disruption to the platform.
• Yahoo (2013): Attackers exploited a vulnerability to execute a XSS attack, allowing them to steal user session cookies.

Preventing XSS

1. Sanitise Inputs: Ensure all user inputs are properly sanitised to remove malicious scripts.
2. Content Security Policy (CSP): Implement CSP to restrict the sources from which scripts can be executed.
3. HTTPOnly Cookies: Use HTTPOnly flag for cookies to prevent them from being accessed via JavaScript.

4. Malware

Malware, short for malicious software, encompasses various harmful programs like viruses, worms, Trojans, ransomware, and spyware. Hackers use malware to damage or disrupt systems, steal data, or gain unauthorised access.

Types of Malware

1. Viruses: Programs that attach themselves to legitimate files and spread throughout a computer system.
2. Worms: Self-replicating programs that spread across networks, often causing widespread damage.
3. Trojans: Disguised as legitimate software, Trojans provide hackers with backdoor access to systems.
4. Ransomware: Encrypts a user’s data and demands payment for the decryption key.
5. Spyware: Secretly monitors user activity and collects information.

Notable Malware Exploits

·? BlackCat/ALPHV Ransomware Attacks:

• The BlackCat ransomware group was highly active, targeting diverse industries across the Americas and Europe. Notable victims included the Barts Health NHS Trust and Sabre Insurance. The group utilized sophisticated tactics, including exploiting vulnerabilities in remote management tools and conducting malvertising campaigns via Google Ads

·? MOVEit Transfer Vulnerability Exploits by Clop Group:

• In June, the Clop ransomware group exploited a vulnerability in the MOVEit Transfer software, impacting numerous organizations such as Shell, the New York City Department of Education, the BBC, and Boots. This attack followed an earlier exploit of a similar tool, Fortra's GoAnywhere MFT, in February?

·? NCR Aloha POS Attack by BlackCat/ALPHV:

• In April, BlackCat attacked NCR, disrupting the Aloha POS terminals used in many restaurants. This incident highlighted the group's ability to significantly impact the retail and hospitality sectors.

·? QakBot Disruption and Successor Malware:

• Following the FBI's takedown of QakBot, new malware such as DarkGate and PikaBot emerged. These new threats, sharing similarities with QakBot, have been used in sophisticated phishing campaigns aimed at initial network access for subsequent ransomware or data theft attacks.

·? Prospect Medical Holdings Attack by Rhysida:

• In August, the Rhysida ransomware group targeted the healthcare sector, particularly Prospect Medical Holdings, stealing substantial amounts of sensitive data, including patient records and social security numbers. This attack underscored the critical vulnerability of healthcare institutions to ransomware.

·? University of Hawaii Ransomware Incident:

• The University of Hawaii paid a ransom to the NoEscape group following an attack that compromised the personal information of 28,000 individuals. The university's decision to pay highlighted the challenging decisions organisations face when dealing with ransomware

·? 3CX Supply Chain Attack:

• In a sophisticated supply chain attack, North Korean actors compromised the 3CX Private Automatic Branch Exchange platform, affecting over 600,000 organisations globally. This attack involved inserting malicious code into 3CX updates, demonstrating the potential reach and impact of supply chain compromises.

• WannaCry (2017): A ransomware attack that exploited a vulnerability in Windows systems, encrypting files and demanding ransom payments. It affected over 230,000 computers worldwide.
• Stuxnet (2010): A sophisticated worm designed to sabotage Iran's nuclear program by targeting SCADA systems.

Preventing Malware

1. Antivirus and Anti-Malware Software: Install and regularly update security software to detect and remove malware.
2. Regular Updates and Patching: Keep operating systems and applications up to date with the latest security patches.
3. User Education: Educate users on safe browsing habits and the dangers of downloading software from untrusted sources.

5. Zero-Day Exploits

Zero-day exploits involve vulnerabilities that are unknown to the software vendor and have no patch available. Hackers exploit these vulnerabilities before they can be addressed, making them particularly dangerous.

How Zero-Day Exploits Work

1. Discovery: Hackers or researchers discover a vulnerability in software.
2. Exploitation: Malicious actors exploit the vulnerability before the vendor becomes aware of it and releases a fix.
3. Propagation: Once a zero-day exploit is used, it can spread rapidly, as systems remain vulnerable until a patch is deployed.

Notable Zero-Day Exploits

• Aurora (2009): A series of cyber-attacks targeting Google and other companies, exploiting a zero-day vulnerability in Internet Explorer.
• EternalBlue (2017): A zero-day exploit developed by the NSA and leaked by the Shadow Brokers. It was used in the WannaCry ransomware attack and other malware campaigns.

Preventing Zero-Day Exploits

1. Threat Intelligence: Use threat intelligence services to stay informed about emerging threats and zero-day exploits.
2. Behavioural Analysis: Implement security solutions that use behavioural analysis to detect unusual activity that might indicate an exploit.
3. Network Segmentation: Segment networks to limit the spread of exploits and reduce potential damage.

6. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

DoS and DDoS attacks aim to make a service unavailable by overwhelming it with traffic. DoS attacks come from a single source, while DDoS attacks involve multiple systems.

How DoS and DDoS Attacks Work

1. Traffic Flooding: Attackers send a massive amount of traffic to the target server, exhausting its resources and causing it to crash or become unresponsive.
2. Botnets: In DDoS attacks, hackers use botnets (networks of infected computers) to generate traffic from multiple sources.

Notable DoS and DDoS Exploits

·? HTTP/2 Rapid Reset Attack: One of the most significant attacks in 2023 targeted AWS, Google, and Cloudflare using a novel method involving the rapid reset of HTTP/2 streams. This attack exploited a feature that allows rapid request cancellations, overwhelming servers by continuously opening and closing streams, leading to resource exhaustion. This attack was concerning because it used a smaller botnet than usual, indicating more efficient attack techniques (A10 Networks).

·? Akamai's Mitigation of a Massive Attack: On September 5, 2023, Akamai's Prolexic platform successfully defended against the largest DDoS attack directed at a major U.S. financial institution. The attack peaked at 633.7 Gbps and involved a combination of ACK, PUSH, RESET, and SYN flood vectors. Despite the attack's intensity, it lasted less than two minutes due to proactive defence measures (Akamai).

·? Cloudflare DDoS Insights: Throughout 2023, Cloudflare observed significant DDoS activity, particularly in regions like Israel and Palestine, where up to 17% of traffic was DDoS-related. The United States and China were major sources of these attacks, targeting industries such as cryptocurrency and gaming. Cloudflare's data also highlighted an increase in attacks on retail companies, correlating with high shopping periods like Black Friday (Cloudflare).

·? Trends in Attack Origins and Targets: According to multiple sources, DDoS attacks in 2023 were increasingly launched from smaller nations when normalized for traffic, with places like Saint Helena and Zimbabwe seeing disproportionate attack traffic. The most targeted industries included Information Technology, Financial Services, and Gaming, with significant attacks also noted against public relations and communications sectors (Cloudflare, A10 Networks).

• GitHub (2018): Suffered one of the largest DDoS attacks in history, with traffic peaking at 1.3 Tbps.
• Dyn (2016): A DDoS attack on DNS provider Dyn disrupted services for major websites like Twitter, Netflix, and Reddit.

Preventing DoS and DDoS Attacks

1. Rate Limiting: Implement rate limiting to control the amount of traffic to a server.
2. DDoS Protection Services: Use DDoS protection services that can absorb and mitigate attack traffic.
3. Redundancy and Load Balancing: Deploy redundant servers and use load balancing to distribute traffic.

7. Man-in-the-Middle (MitM) Attacks

MitM attacks involve intercepting and altering communication between two parties without their knowledge. This can lead to data theft, unauthorised access, and other malicious activities.

How MitM Attacks Work

1. Interception: The attacker intercepts the communication between two parties. This can be done through techniques like ARP spoofing, DNS spoofing, or using rogue Wi-Fi hotspots.
2. Decryption: If the communication is encrypted, the attacker may use methods like SSL stripping to downgrade or break the encryption.
3. Alteration: The attacker can alter the intercepted data, injecting malicious content or stealing sensitive information.

Notable MitM Exploits

1.???? Credential Phishing Campaigns: A significant rise in MitM phishing attacks targeting users' credentials was observed. These attacks involved setting up a MitM server that intercepted communication between the user and legitimate services like Microsoft Office 365 or Outlook. The server would capture login credentials and even handle multi-factor authentication (MFA) requests, allowing attackers to gain full access to user accounts?

2.???? BLUFFS Bluetooth Attacks: Researchers unveiled a series of vulnerabilities in Bluetooth technology, named BLUFFS (Bluetooth Forward and Future Secrecy). These attacks compromised session keys, enabling MitM attacks that could decrypt past and future Bluetooth communications. The vulnerabilities were found across multiple Bluetooth chips and affected a wide range of devices, highlighting a significant security flaw in the Bluetooth protocol.

3.???? SSL Stripping and Network Sniffing: Traditional MitM techniques such as SSL stripping and network sniffing remained prevalent. Attackers would downgrade HTTPS connections to HTTP, making it easier to intercept and manipulate the data being transmitted. Network sniffing tools were used to capture sensitive information passing over unsecured networks, particularly in public Wi-Fi environments.

4.???? DNS Spoofing: This technique saw increased use in 2023, where attackers would manipulate DNS responses to redirect users to malicious websites instead of legitimate ones. This method allowed attackers to intercept and alter communications, leading to the theft of sensitive data such as login credentials and financial information.

5.???? Wi-Fi Eavesdropping: By setting up rogue Wi-Fi hotspots, attackers intercepted communications between users and legitimate networks. This allowed them to capture unencrypted data or manipulate the traffic to launch further attacks

6.???? NSA PRISM Program (Revealed 2013): Involved extensive use of MitM techniques to eavesdrop on communication.

1. Equifax Data Breach (2017): Attackers exploited a vulnerability in a web application to perform MitM attacks and steal personal information of 147 million people.

Preventing MitM Attacks

1. Encryption: Use strong encryption protocols (e.g., TLS) to protect data in transit.
2. Secure Network Configuration: Ensure proper network configuration to prevent ARP and DNS spoofing.
3. VPNs: Use virtual private networks (VPNs) to secure communication channels, especially over public networks.

8. Insider Threats

Insider threats come from individuals within an organisation who have access to sensitive information. These threats can be malicious or accidental, resulting in data breaches, intellectual property theft, and other security incidents.

Types of Insider Threats

1. Malicious Insiders: Employees or contractors who intentionally misuse their access to harm the organisation.
2. Negligent Insiders: Employees who unintentionally compromise security through careless actions.
3. Compromised Insiders: Individuals whose accounts are taken over by external attackers.

Notable Insider Threat Exploits

• Edward Snowden (2013): Leaked classified NSA documents, exposing extensive global surveillance programs.
• Tesla (2018): A disgruntled employee leaked confidential information and made false claims about the company.

Preventing Insider Threats

1. Access Controls: Implement strict access controls and least privilege policies to limit access to sensitive information.
2. Monitoring and Auditing: Regularly monitor and audit user activities to detect suspicious behaviour.
3. Employee Training: Educate employees on security policies and the importance of protecting sensitive information.

9. Password Attacks

Password attacks involve attempting to obtain or guess a user's password. These attacks can be carried out using various methods, such as brute force, dictionary attacks, and credential stuffing.

How Password Attacks Work

1. Brute Force: Attackers use automated tools to try all possible combinations of characters until the correct password is found.
2. Dictionary Attacks: Attackers use a list of common passwords and variations to attempt access.
3. Credential Stuffing: Attackers use lists of compromised credentials from previous data breaches to attempt access on other platforms.

Notable Password Attacks

• LinkedIn (2012): A breach exposed 6.5 million hashed passwords, leading to widespread credential stuffing attacks.
• Yahoo (2014): Over 500 million accounts were compromised, including hashed passwords.

Preventing Password Attacks

1. Strong Password Policies: Enforce the use of complex, unique passwords.
2. MFA: Implement multi-factor authentication to add an extra layer of security.
3. Password Managers: Encourage the use of password managers to generate and store strong passwords.

10. Advanced Persistent Threats (APTs)

APTs are prolonged and targeted cyber-attacks where an intruder gains access to a network and remains undetected for an extended period. These attacks are often carried out by nation-states or well-funded groups with specific objectives.

How APTs Work

1. Initial Access: Attackers gain initial access through methods like phishing, exploiting vulnerabilities, or using insiders.
2. Establishing Foothold: They establish a presence within the network, often using backdoors and malware.
3. Lateral Movement: Attackers move laterally across the network to locate and access sensitive data.
4. Data Exfiltration: They extract valuable data while remaining undetected.

Notable APT Exploits

• Stuxnet (2010): An APT designed to sabotage Iran's nuclear program by targeting industrial control systems.
• Operation Aurora (2009): A series of cyber-attacks on companies like Google and Adobe, attributed to a nation-state actor.

Preventing APTs

1. Intrusion Detection Systems (IDS): Deploy IDS to monitor network traffic and detect anomalies.
2. Network Segmentation: Segment networks to limit attackers' ability to move laterally.
3. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.

United Kingdom and Global cyber-attack methods in 2023 involves aggregating data to understand the most common attack vectors used. This helps in identifying trends and threats.

• Phishing Attacks (30%): The most prevalent attack method, using social engineering to deceive individuals into providing sensitive information.
• Ransomware (25%): A significant threat where attackers encrypt data and demand a ransom for its decryption.
• Malware (12%): Malicious software designed to disrupt, damage, or gain unauthorised access to computer systems.
• Denial of Service (DoS) Attacks (10%): Overloading a network or service to make it unavailable to users.
• SQL Injection (8%): Exploiting vulnerabilities in web applications to execute harmful SQL statements.
• Zero-Day Exploits (6%): Attacks targeting vulnerabilities that are not yet known to the public or the software vendor.
• Man-in-the-Middle (MitM) Attacks (5%): Intercepting and potentially altering communications between two parties without their knowledge.
• Insider Threats (4%): Threats from individuals within an organisation who misuse their access to compromise security.

The landscape of computer system vulnerabilities is vast and constantly evolving. Hackers employ a variety of methods to exploit these vulnerabilities, causing significant damage to organisations and individuals. By understanding the tactics used and implementing robust security measures, organisations can better protect themselves against these threats. Continuous vigilance, regular updates, and comprehensive security strategies are essential in the ongoing battle against cyber threats.