Criminal hacking has become a major threat to today’s organizations. According to a Deloitte Center for Controllership poll, “During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data were targeted by cyber adversaries.” And, “Nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead.”
By understanding the methods that criminal hackers commonly use, organizations can take proactive measures to safeguard their systems and protect their data.
In this blog post, we'll explore common techniques used to penetrate systems and how organizations can defend against each type of attack.
Common Types of Cyber Attacks
Common techniques that criminal hackers use to penetrate systems include social engineering, password attacks, malware, and exploitation of software vulnerabilities.
According to Carnegie Mellon University’s Information Security Office, “Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
Criminals often use social engineering techniques to gain access to systems because it's easier to exploit the weakest link in the security chain: humans.
The steps involved in a successful social engineering attack are:
- Research - Criminals gather information about the target, such as employees' names, job titles, and email addresses.
- Pretexting - Criminals create a plausible pretext to contact the target, such as posing as an IT support person or a vendor.
- Contact - Criminals contact the target via phone, email, or social media and use social engineering techniques to persuade the target to reveal sensitive information or perform an action that compromises security.
Social Engineering Attack Example
You receive an email that appears to be from your bank, asking you to click on a link to update your account information. The link takes you to a website that looks identical to your bank's website, but is actually a fake. You’re prompted to enter your login credentials. Once you do, the cybercriminals obtain your information, which they use to steal money from your account.
How to Protect Against Social Engineering Attacks
Organizations can protect themselves against social engineering attacks by educating employees about the risks, enabling multi-factor authentication, and implementing security policies that require verification of any requests for sensitive information or actions.
Password attacks involve guessing or cracking passwords to gain access to systems. Password attacks can be successful if users choose weak passwords or reuse passwords across multiple systems.
The steps involved in a successful password attack are:
- Reconnaissance - Criminal hackers gather information about the target, such as usernames and email addresses.
- Attack - Criminal hackers conduct one of the following attacks:
- Brute force - Accessing an obstructed device by using a tools that attempts as many combinations of numeric/alphanumeric passwords as possible
- Dictionary attack - Accessing an obstructed device by using a tool that guesses passwords by using a pre-generated list of common passwords.
How to Protect Against Password Attacks
Organizations can protect themselves against password attacks by requiring strong passwords, implementing multi-factor authentication, and limiting the number of login attempts.
Malware, according to the Federal Trade Commission, “includes viruses, spyware, ransomware, and other unwanted software that gets secretly installed onto your device.”
Malware, short for “malicious software”, is usually designed to allow malicious actors to gain access to your system in order to monitor your activity or steal data. Malware can be delivered through email attachments, malicious websites, or compromised software.
The steps normally involved in a successful malware attack are:
- Delivery - Hackers deliver the malware to the target, usually through email attachments or malicious websites.
- Execution - The target opens the infected attachment or visits the malicious website, which executes the malware.
- Infection - The malware infects the system and the criminal hacker gains control.
Malware Attack Example
There are many types of Malware attacks, but here is one example:
You download an application onto your computer, unaware that it is a fake application distributed through a malicious website by a bad actor. When you download and install the program, the malicious software is also installed on your computer, allowing the attacker to gain access to your files and system.
The attacker can then use this access to steal sensitive information or carry out further attacks. This type of attack is known as a Trojan horse. It can be difficult to detect and remove, making it a popular tool for cybercriminals.
How to Protect Against Malware Attacks
Organizations can protect themselves against malware attacks by implementing antivirus software, making regular offline backups of important data, keeping software up-to-date, enforcing multifactor authentication, and educating employees about the risks.
Exploiting software vulnerabilities is one of the most common ways that hackers penetrate systems. Software vulnerabilities are typically caused by coding errors or design flaws in software applications or operating systems. These vulnerabilities can allow attackers to exploit the system and gain unauthorized access to sensitive data or resources.
Here are some of the most common types of software vulnerabilities that hackers use to penetrate systems:
A buffer overflow attack occurs when a program attempts to store more data in a buffer (temporary storage area) than it can handle, resulting in the excess data spilling over into adjacent memory space. This can cause the program to crash or allow an attacker to execute malicious code.
Example: CVE-2020-15359: VDALabs Uses Mayhem To Find MP3Gain Stack Overflow
According to OWASP, “Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.”
The most common type of injection attack is an SQL injection attack, which occurs when attackers inject malicious SQL commands into an application's input fields in order to gain access to sensitive data, modify the content of the database, or even take control of the server.
Example: Finding Non-Trivial Web API Issues with Mayhem for API
Cross-site Scripting (XSS)
XSS attacks are another common type of injection attack. XSS attacks occur when attackers inject malicious code, typically in the form of a script, into web pages that are otherwise harmless. XSS attacks can be used to steal sensitive data, spread malware, or take over user accounts.
Example: Fuzzing for Command Injections (CVE-1999-0067)
Remote Code Execution
The majority of the top routinely exploited vulnerabilities in 2021 were remote code execution (RCE) vulnerabilities.
RCE vulnerabilities allow attackers to execute malicious code on a system remotely by exploiting a flaw in an application or operating system. This can then allow them to take control of the system or to access sensitive data or resources. RCEs don’t require a malicious actor to gain physical access to your network in order to be exploited.
Remote Code Execution can happen in conjunction with other types of attacks, such as injection attacks and buffer overflows.
Example: Uncovering OpenWRT Remote Code Execution (CVE-2020-7982)
In a Directory, or Path, Traversal attack, an attacker submits a specially crafted input into an application in order to manipulate the file path used by the application to access files. By including "../" or other similar sequences in the input, an attacker can trick the application into accessing files or directories that are outside of the intended scope.
Example: The Hacker Mind: Shellshock (CVE-2014-0475)
How to Protect Against Software Vulnerability Attacks
To protect against these types of attacks, organizations should perform regular vulnerability testing and software updates to prevent the exploitation of these vulnerabilities.
How do hackers find software vulnerabilities?
There are several ways hackers can find vulnerabilities in software systems, including fuzz testing, penetration testing, and reverse engineering.
Fuzzing, or fuzz testing, is a common technique that hackers use to find vulnerabilities in software. Fuzzing involves feeding large amounts of random input data, or “fuzz”, into an application to see how it responds.
The goal of fuzzing is to identify unexpected behavior or crashes in the target system, which can indicate the presence of a vulnerability that can be exploited.
The steps involved in a successful fuzzing attack are:
1. Identification - Hackers identify the target system and the input fields that will be fuzzed.
2. Generation - Hackers use a tool to generate random input data and send it to the target system.
3. Detection - The tool detects unexpected behavior or crashes in the target system, which may indicate the presence of a vulnerability.
4. Exploitation - If a vulnerability is detected, the hacker can attempt to exploit it to gain unauthorized access to the system.
Fuzz testing is a very effective technique for identifying vulnerabilities in software. The most effective way for organizations to protect themselves against not only fuzzing attacks, but any type of attack, is by using automated tools to perform fuzz testing on their own systems. This way, vulnerabilities can be identified and addressed before they can be exploited by criminal hackers.
Best Automated Tool to Find and Fix Vulnerabilities
Mayhem is a security testing solution that was built by professional hackers. It uses fuzz testing and machine learning techniques to automatically generate thousands of tests to identify defects in your apps and APIs before they can be exploited by malicious actors.
Development Speed or Code Security. Why Not Both?
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.