What Is a Cyber Attack?
A cyber attack is an attempt by cybercriminals, hackers or other digital adversaries to access a computer network or system, usually for the purpose of altering, stealing, destroying or exposing information.
Cyberattacks can target a wide range of victims from individual users to enterprises or even governments. When targeting businesses or other organizations, the hacker’s goal is usually to access sensitive and valuable company resources, such as intellectual property (IP), customer data or payment details.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.Download Now
Common Types of Cyber Attacks
Ransomware is a type of malware that denies legitimate users access to their system and requires a payment, or ransom, to regain access. A ransomware attack is designed to exploit system vulnerabilities and access the network. Once a system is infected, ransomware allows hackers to either block access to the hard drive or encrypt files.
In ransomware attacks, adversaries usually demand payment through untraceable cryptocurrency. Unfortunately, in many ransomware attack cases, the user is not able to regain access, even after the ransom is paid.
The rise in ransomware attacks
Ransomware is one of the most common types of malware attacks today. According to the CrowdStrike Global Security Attitude Survey, which was published in November 2020, more than half of the 2,200 respondents suffered ransomware attacks over the previous 12 months.
CrowdStrike’s 2021 Global Threat Report also explored the growing use of ransomware within certain industries. Our analysis revealed that the most common targets include organizations that are conducting vaccine research and government agencies that are managing responses to COVID-19. The report also notes that ransomware attacks on manufacturing facilities have proven uniquely effective, as the time-sensitive nature of their production schedules often renders paying the fee less expensive than losing critical throughput.
Unfortunately for targets, ransomware attacks also tend to be among the more high-profile cybersecurity events, resulting in negative publicity and reputational harm. For example, in May 2021, the Colonial Pipeline, which supplies gasoline and jet fuel to the southeastern U.S., was the target of a ransomware attack by the criminal hacking group DarkSide. Service was temporarily disrupted, which impacted gas and fuel supply throughout the region. While Colonial Pipeline paid the ransom, which totaled $4.4 billion, the network operated very slowly.
Malware — or malicious software — is any program or code that is created with the intent to do harm to a computer, network or server. Malware is the most common type of cyberattack, mostly because this term encompasses many subsets such as ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and any other type of attack that leverages software in a malicious way.
The rise of fileless malware
Because organizations are taking steps to defend against traditional ransomware attacks, some cybercriminals are adapting their techniques to circumvent these enhanced security measures. One of these advanced techniques involves “fileless” malware, which is when malicious code is either embedded in a native scripting language or written straight into memory using a program such as PowerShell. In a fileless malware attack, it is also common for attackers to exploit a public-facing web server, and then use a web shell to move laterally in the environment.
Traditional antivirus products and even application whitelisting products are completely blind to attacks that do not use malware. This underscores the need for organizations to have advanced cybersecurity tools that protect against both known and unknown threats.
3. Malware as a Service (MaaS)
Another growing trend is the use of Malware as a Service (MaaS) for carrying out cyberattacks. In a MaaS model, hackers are hired to conduct ransomware attacks on behalf of a third-party. This model allows anyone who wishes to carry out a cyberattack to do so, even if they lack the technical skills or experience.
4. DoS and DDoS Attacks
A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations.
In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network. While most DoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money and other resources in order to restore critical business operations.
The difference between DoS and Distributed Denial of Service (DDoS) attacks has to do with the origin of the attack. DoS attacks originate from just one system while DDoS attacks are launched from multiple systems. DDoS attacks are faster and harder to block than DOS attacks because multiple systems must be identified and neutralized to halt the attack.
In 2018, the FBI shut down the largest DDoS-for-hire site on the dark web, which led to a dip in DDoS attacks. However, numbers are now once again on the rise. [According to recent research, DDoS attacks increased by 151% in the first half of 2020.]
Part of the reason for this trend is the explosion of connected devices and Internet of Things (IoT) technology. Unlike traditional endpoints, like computers and smartphones, most IoT devices have relatively lax security controls, making them susceptible to attacks and increasing their ability to be overtaken by a botnet.
COVID-19 further exacerbated DDoS attacks in that the rapid shift to remote work led to a proliferation of often poorly secured connected devices. This dramatically expanded the attack surface at a time when many IT organizations were preoccupied with basic tasks like ensuring remote access and support services.
Example: The AWS DDoS Attack in 2020
Virtually any organization can fall victim to a DDoS attack, as evidenced by the February 2020 attack on Amazon Web Services (AWS). Considered one of the largest, high-profile DDoS attacks ever reported, this attack targeted an unknown AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) reflection, which amplifies data sent to the victim’s IP address through a server vulnerability. The attack, which lasted three days, caused significant revenue losses for AWS customers and reputational harm to AWS.
Phishing is a type of cyberattack that uses email, SMS, phone, social media, and social engineering techniques to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.
Common phishing examples in the COVID era
As noted above, COVID-19 dramatically increased cyberattacks of all kinds, including phishing attacks. During the lockdown period, people generally spent more time online and also experienced heightened emotions — the virtual recipe for an effective phishing campaign.
Throughout 2020, the CrowdStrike data science team closely tracked COVID-19-related malspam (malicious spam). Most attacks urged the recipient to download an attachment, which was malware that then acted as a keylogger or password stealer. Some of the most common scenarios and techniques included:
- Impersonating a doctor and claiming to be able to treat or cure COVID-19.
- Impersonating a government organization that is sharing important public health information.
- Impersonating a courier service that is attempting to deliver a package.
For more information about common phishing techniques in the COVID era, please access our companion post on phishing attacks.
The Most Impersonated Organizations in Phishing Scams
While the most well-known phishing attacks usually involve outlandish claims, such as a member of a royal family requesting an individual’s banking information, the modern phishing attack is far more sophisticated. In many cases, a cyber criminal may masquerade as common retailers, service providers or government agencies to extract personal information that may seem benign such as email addresses, phone numbers, the user’s date of birth, or the names of family members.
To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.
The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals. Topping the list is e-retailer Amazon, followed by technology companies Apple (2), Microsoft (4) and Facebook (8). Other organizations include: the Social Security Administration (3); retail banks, such as Bank of America (5) and Wells Fargo (6); telecommunications providers such as AT&T (7) and Comcast (10); retailers such as Costco (11), Walmart (12) and Home Depot (18); and courier services such as FedEx (9) and UPS (14).
To view the complete list, please access our companion post on phishing attacks.
6. MITM Attack
A man-in-the-middle (MITM) attack is a type of cyberattack in which a malicious actor eavesdrops on a conversation between a network user and a web application. The goal of a MITM attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party to solicit additional information or spur action. These actions can include changing login credentials, completing a transaction or initiating a transfer of funds.
While MITM attackers often target individuals, it is a significant concern for businesses and large organizations as well. One common point of access for hackers is through software-as-a-service (SaaS) applications. The cyber attacker can then use these applications as an entryway to the organization’s wider network and potentially compromise any number of assets, including customer data, IP or proprietary information about the organization and its employees.
The sudden influx of remote workers, which relied on SaaS applications to complete routine tasks during COVID-19 lockdown periods, as well as an increase in connected devices, has significantly increased the opportunity for MITM attacks over the past two years.
The next frontier: Machine-in-the-Middle
[Although generally less well-known than ransomware or malware attacks, MITM attacks are among the most widely used methods available to cybercriminals. According to some estimates, 35 percent of incidents where cyber weaknesses have been exploited involved MItM attacks.]
As with malware attacks, advances in cyber security defenses have made MITM and other network-based attacks increasingly difficult to execute. As a result, cybercriminals have now begun to target the endpoint instead of the network in these attacks. For example, the hacker may target a user’s computer and install a root Certificate Authority (CA) and then generate valid digital certificates that allow them to impersonate any website. Since the root CA is controlled by the hacker, encrypted communication sent by the user can be intercepted. In this way, the concept of ‘Man-in-the-Middle’ becomes ‘Machine-in-the-Middle.’
One recent MITM attacker identified by CrowdStrike was a Trickbot module called shaDll. The module installed illegitimate SSL certificates on infected computers, which allowed the tool to gain access to the user network. The module was then able to redirect web activity, inject code, take screenshots and gather data.
Example: The Fall of WebNavigatorBrowser
Another attack recently highlighted by CrowdStrike relates to Chromium-based Adware Browser WebNavigatorBrowser. This web browser falls into the category of adware because it injects ads into search results. The developer based it on Google’s free and open-source browser software project, Chromium. It is copyrighted and signed by Better Cloud Solutions LTD, a legally registered company in the U.K.
In early 2020, Sectigo, (formerly known as Comodo) a well-known Certificate Authority (CA), revoked WebNavigatorBrowser’s certificate, making this attack vector a thing of the past.
For more information, please read our companion post: The Rise and Fall of WebNavigatorBrowser: Chromium-based Adware Browser.
7. Cross-Site Scripting (XSS)
Cross Site Scripting (XSS) is a code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user. Web forums, message boards, blogs and other websites that allow users to post their own content are the most susceptible to XSS attacks.
Though an XSS attack targets individual web application visitors, the vulnerabilities lie in the application or web site. As such, organizations that needed to deploy a remote workforce may have inadvertently exposed itself to this type of attack by making internal applications available via web or by deploying cloud-based services. This increased the attack surface at a time of significant strain for businesses and IT teams, in particular.
8. SQL Injections
A SQL Injection attack is similar to XSS in that adversaries leverage system vulnerabilities to inject malicious SQL statements into a data-driven application, which then allows the hacker to extract information from a database. Hackers use SQL Injection techniques to alter, steal or erase data.
The main difference between XSS and SQL Injection has to do with who is targeted. The XSS is a client-side vulnerability that targets other application users, whereas the SQL injection is a server-side vulnerability that targets the application’s database.
One of the most common targets of SQL injection attacks are gamers and the gaming industry. According to Akamai’s State of the Internet report, attacks on the gaming industry increased three-fold between 2019 and 2020, reaching more than 240 million web application attacks. SQL injections were the most common attack vector; this technique was used to access player login credentials and other personal information.
Once again, this uptick is attributable to increased time spent online due to COVID-19 lockdowns and social distancing.
9. DNS Tunneling
DNS Tunneling is a type of cyberattack that leverages domain name system (DNS) queries and responses to bypass traditional security measures and transmit data and code within the network.
Once infected, the hacker can freely engage in command-and-control activities. This tunnel gives the hacker a route to unleash malware and/or to extract data, IP or other sensitive information by encoding it bit by bit in a series of DNS responses.
DNS tunneling attacks have increased in recent years, in part because they are relatively simple to deploy. Tunneling toolkits and guides are even readily accessible online through mainstream sites like YouTube.
10. Password Attack
Password attacks—any cyberattack wherein a hacker attempts to steal a user’s password—are one of the leading causes of both corporate and personal data breaches.
Password attacks are on the rise because they are an effective means for gaining access to a network or account. Since many users do not set strong passwords, reuse existing passwords across multiple sites or fail to regularly change their password, hackers can exploit these weaknesses.
[According to the Verizon 2021 Data Breach Investigations Report, compromised credentials, such as weak passwords, are the primary point of access for hackers. More than six in ten breaches (61%) originate with user credentials.]
11. Birthday Attacks
Birthday attacks are a type of brute force attack that attempts to identify two matching hash values to crack a password. The attack takes its name from the probability theory that within a group of 30 people, there is a 70% likelihood that two people share the same birthday.
12. Drive By Attack
A drive-by attack, sometimes called a drive-by download, is a more sophisticated form of a malware attack that leverages vulnerabilities in various web browsers, plugins, or apps, to launch the attack. It does not require any human action to initiate. Once the attack is underway, the hacker can hijack the device, spy on the user’s activity or steal data and personal information.
Though a drive-by attack is far more complex to deploy, they are becoming more common as cybersecurity measures become more advanced and sufficiently deflect traditional malware attacks.
Cryptojacking is the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrency.
Cryptojacking programs may be malware that is installed on a victim’s computer via phishing, infected websites, or other methods common to malware attacks; they may also be small pieces of code inserted into digital ads or web pages that only operate while the victim is visiting a particular website.
Cryptojacking attacks have waned since 2018 due to increased attention from law enforcement, as well as the decommissioning of Coinhive, the leading crypto-mining site for Monero cryptocurrency. However, such attacks have since increased once again due to the rising value of cryptocurrencies.
14. IoT-Based Attacks
An IoT attack is any cyberattack that targets an Internet of Things (IoT) device or network. Once compromised, the hacker can assume control of the device, steal data, or join a group of infected devices to create a botnet to launch DoS or DDoS attacks.
[According to the Nokia Threat Intelligence Lab, connected devices are responsible for nearly one-third of mobile network infections – more than double the amount in 2019.]
Given that the number of connected devices is expected to grow rapidly over the next several years, cybersecurity experts expect IoT infections to grow as well. Further, the deployment of 5G networks, which will further fuel the use of connected devices, may also lead to an uptick in attacks.
The Evolution of Ransomware: How to Protect Organizations From New Trends & Methods
Download the white paper to see the breakdown of new trends in online extortion threats.Download Now
The Rise of Cyber Attacks
In recent years, cyberattacks have become more sophisticated, increasing the need for a comprehensive cybersecurity strategy and tooling.
The world recorded a steep increase in cyber attacks and cybercrime in 2020. According to CrowdStrike’s 2020 Threat Hunting Report, which analyzes intrusion attempts within the CrowdStrike customer network, more breaches were attempted in the first half of 2020 than in all of 2019. The report revealed that the CrowdStrike threat hunting team blocked roughly 41,000 potential intrusions from January through June 2020, as compared to 35,000 intrusions during the entirety of the previous year. This represents a 154% increase in cyberattacks year-on-year.
This increase may be attributed to several factors including:
- The COVID-19 pandemic and stay-at-home orders, which dramatically increased the amount of time people spent online;
- The shift to remote work (an existing trend that was rapidly accelerated due to COVID-19), which increased the use of personal connected devices, as well as personal networks, thereby expanding the attack surface for organizations;
- The proliferation of connected devices and Internet of Things (IoT) technology, which provide a plethora of entry points for cybercriminals;
- The shift to the cloud, which requires a fundamentally different security strategy as compared to traditional on-premises networks;
- 5G technology, which is further fueling the use of connected devices; and
- The availability of hackers “as-a-service” which makes ransomware and other malware attacks available to those who lack the technical expertise to carry out such an attack personally.
How To Protect Against Cyber Attacks
A comprehensive cybersecurity strategy is absolutely essential in today’s connected world. From a business perspective, securing the organization’s digital assets has the obvious benefit of a reduced risk of loss, theft or destruction, as well as the potential need to pay a ransom to regain control of company data or systems. In preventing or quickly remediating cyberattacks, the organization also minimizes the impact of such events on business operations. Finally, when an organization takes steps to deter adversaries, they are essentially protecting the brand from the reputational harm that is often associated with cyber events — especially those that involve the loss of customer data.
Below are some recommendations we offered in our 2020 Global Security Attitude Survey to help organizations improve their security posture and ensure cybersecurity readiness:
- Continue to invest in digital transformation to keep pace with the eCrime and nation-state threats. Replacing legacy, on-premises technologies with cloud-native platforms — such as CrowdStrike Falcon® — that are designed to protect remote and hybrid environments will be critical to ensuring protection in the new work-from-anywhere environments that are here to stay.
- Focus on protecting all workloads wherever they are rather than maintaining security models built around network perimeters. A solution such as CrowdStrike® Falcon Cloud Workload Protection provides breach protection across private, public, hybrid and multi-cloud environments so you can rapidly adopt and secure technology across any workload.
- Integrate identity protection with run-time protection of workloads, endpoints and mobile devices to alleviate the strain on IT teams, and keep your organization secure by allowing your team to plan, implement and migrate to the cloud-native applications you need to secure your business and employees — no matter where they are located.
- Strive to meet the 1-10-60 rule that CrowdStrike introduced in 2018: one minute to detect a cyber threat, 10 to investigate and 60 to contain and remediate. The survey reveals that it takes organizations an average of 117 hours to even detect an incident or intrusion (reflecting very little improvement from 120 hours in 2019) — and many more to investigate and contain it. The CrowdStrike Falcon platform enables security teams to shorten the time to investigate and understand a cybersecurity threat by providing deep context, seamlessly integrated threat intelligence and sophisticated visualizations.