Attack vectors

In cybersecurity realm

Michał Faron
Mateusz Włodarczyk
Maciej Kowalczyk
Franciszek Samiec
Mateusz Kadłubowski
Agenda
I. Phishing
II. Email attachments
III. Account Takeover
IV. Encryption
V. Insider Threats
VI. Browser-based attacks
VII.Application compromise
VIII.Patching vulnerabilities
IX. Open ports
X. Software vulnerabilities – case study
Phishing
Type of online scam where attackers trick people into sharing sensitive information by
posing as trusted entities.
Whaling
Advanced fee
scam

Phishing

Account Clone phishing

deactivation scam

Website forgery Spear

phishing
Malicious email attachments
Harmful files sent via email, containing viruses or other malicious software aimed at
infecting the recipient's device or network.

Phishing Viruses Spyware

Adware Botnets
 Security practices
Legitimate sender

Security practices are crucial Makes sense

for preventing both phishing
and malicious email
attachments. Those methods
can't work unless user makes
a mistake. Following them Spelling mistakes
will prevent those methods

Relevant subject
Account Takeover
Account Takeover, commonly known as ATO, is a type of cybercrime where an attacker
gains unauthorized access to a user's account.
Credential
stuffing
Using bots to
automatically attempt
to log in to a user
account using a list of
common or breached
passwords
Application
vulnerabilities
Applications also have
accounts, and an attacker
can exploit vulnerabilities
in these accounts to take
advantage of their
access.
Account
Takeover
Stolen cookies Phishing
The cookies stored on a User credentials
user's computer can store are
information about their a common target
login session to allow of phishing
access to an account attacks
without a password
Hardcoded
passwords
Passwords to accounts
can be stored in
application code or
configuration files,
which may be leaked.
Malware
Malware infections on
a user’s computer can
steal passwords in
various ways.
Account Takeover
A successful account takeover attack grants the attacker the same access and
permissions as the legitimate account owner. With this access, an attacker can take
various actions, such as:
Follow-on
Data theft Malware
attacks
delivery
• Breach and exfiltration of vast • Allow attackers to install and • Once an attacker gains access
amounts of sensitive, execute ransomware and other to a legitimate account, they
confidential, or protected malware on corporate systems can use that access to carry
classes of data out further attacks.

Lateral
movement
• A compromised account can
provide an entry point for an
attacker to an otherwise
secure network. Attacker can
expand their access or
escalate privileges across
other corporate systems
Financial
profit
• Instead of using the
compromised account
themselves, the attacker may
sell access to it on the dark
web
 Account Takeover Prevention
Strong password
policies

Defence-in-depth (DiD) is the

best approach to take when Multi-factor authentication
(MFA)
addressing the risks of
account takeover attacks.

Account takeover attacks

Application security
commonly take advantage of testing
poor account security
practices.

Login and API

security
Lack of encryption
Unencrypted data can be viewed by anyone who has access to it. It can be
intercepted in transit between networks, as in an on-path attack, or simply viewed
inadvertently by an intermediary along the network path.

How does encryption

What is encryption?
work?
• Scrambling data so that only • Encryption is a mathematical
authorized parties can understand process that alters data using an
the information encryption algorithm and a key.
• Process of converting human- • Data can be encrypted "at rest,"
readable plaintext to when it is stored, or "in transit,"
incomprehensible text, also known while it is being transmitted
as ciphertext somewhere else
Insider threats
Insider threats involve known and trusted individuals accessing and distributing confidentia
l data, either intentionally or accidentally.

Nature of Threat Types of Insider Threats

• Insiders may act out • Malicious insiders: Act with harmful int
of dissatisfaction, personal gain, or coe ent, exploiting privileges.
rcion from external attackers.
• Negligent insiders: Unintentionally
• They possess legitimate access, makin
g detection challenging. compromise security due to carelessne
ss.
Impact

• Insider threats can lead to

data breaches, financial loss, reputatio
nal damage, and legal repercussions.
 Mitigating Insider Threats
Employee Training
and Awareness

Combating insider threats req

uiresa multi Access Controls and
layered approach Monitoring
involving technological
solutions,
policy enforcement,
and fostering Establishing a Cultu
a culture of security awarene re of Trust
and Transparency
ss
throughout the organization.
Regular Security Au
dits and Reviews
Browser-based
attacks
• Form of cyberattack that specifically
targets vulnerabilities within web
browsers.
• Exploit weaknesses in the browser's
functionalities, such as its scripting
engines, rendering engines, or
plugins/extensions.
• Primary objective of these attacks is
to compromise the security of the
user's system or steal sensitive
information.
• With the rise of cloud computing,
significant part of data exchange
Possible signs of MITB attack
• happens through web browsers
The user's antivirus software detects malware.
• The user is suddenly logged out of an account.
• The user receives login notifications from
locations away from their device.
• There are missing or extra elements on a
webpage.
Browser isolation
Browser isolation (also known as remote browsing) is the cyber security approach of separating
Internet browsing activity from the process of loading and displaying webpages locally.

Benefits Types of threats

• Preventing local downloads or execution of • Drive-by downloads

malware, ransomware, and other malicious
scripts. • Malvertising

• Blocking malicious web content without having • Click-jacking

to block entire websites.
• Minimizing the risk of zero-day browser
vulnerabilities.
Types

• Remote browser isolation

• On-premise browser isolation
• Client-side browser isolation
Remote browser isolation (RBI)
• Remote browser isolation (RBI) technology, also called "cloud-hosted browser isolation", loads
webpages and executes any associated code on a cloud server, far removed from users’ local
devices and organizations' internal networks.
Client-side browser isolation
• Client-side browser isolation loads webpages on a user device on which special software has been
installed. This software uses virtualization or sandboxing to keep all browsing activity on the virtual
machine.
Application compromise

• Application compromise occurs

when attackers opt to infect a
trusted third-party application
with malware rather than
directly targeting user accounts.
• Alternatively, they may develop
a deceptive, malicious
application that users
unwittingly download and install
- prevalent attack method for
mobile devices.
 Patching vulnerabilities
• Many attacks stem from organizations neglecting to patch vulnerabilities.
• By consistently patching vulnerabilities and updating software and hardware, organizations
significantly decrease the likelihood of successful exploitation of vulnerabilities.

Patching
process:
Analyzing data
Identifying Patching
and testin
vulnerabilities and the
understanding g
threats. vulnerabili
the nature of a
ty
threat

Scanners and endpoint Advisories from hardware Penetration test Firewall

agents. Scans provide an and software suppliers and results logs
understanding of known third-party best practice
anomalies or vulnerabilities organizations.
that could indicate a
malware attack or malicious
event has occurred.
 Open
Ports

• If a port is not secured and has known vulnerabilities, attackers can exploit
those weaknesses to gain unauthorized access to the system.
• By keeping only essential ports open, you reduce the attack surface for
hackers.
• Sometimes, open ports can reveal information about the system they're on,
such as the operating system or software version. This information can be
valuable to hackers in crafting targeted attacks.
 Pattern of malicious exploitation of
open ports
1. Vulnerable App:
•An Android app uses open ports for communication (intended
functionality).
•These ports lack proper security measures.
2. Attacker:
•Locates a vulnerable app (through scanning or targeting specific
apps).
•Crafts a malicious payload (data or code).
3. Attack Method:
•Remote
•LAN
•Phishing
4. Consequences:
• Steal data.
CMD:
• Install malware.
1. netstat –ano
• Execute malicious code (control device, disrupt functionality).
2. netsh advfirewall firewall add
5. Potential Impact:
rule name="Block Port"
• Numerous devices might be vulnerable due to widespread use of
protocol=TCP
unsecured open ports in apps.
localport=PORT_NUMBER
•Popular apps downloaded from official stores can be affected.
action=block
 For app developers:

• Authentication & authorization (gate who/what can

access)
•Encryption (scramble data)

Measures
•Port binding (limit access points)
•Minimize open ports (open only what's needed)
•Regular security audits (check for weaknesses)

to mitigate •Secure coding practices (build strong defenses)

•Update libraries (patch known vulnerabilities)

exploits on For Users:

open ports
• Update device software & apps regularly.
• Review app permissions before installing.
• Consider antivirus/anti-malware software.
• Watch for unusual app behavior.
• Use strong passwords and multi-factor
authentication.
• Manage downloaded files carefully.
• Research apps before downloading.
Susceptibility of PV software might spell danger for the whole
country

• 2023: 2.6 million solar plants in Germany with a

combined capacity of 70 GW (~17.2% of total Energy
consumption)
• Over 300.000 balcony power plants in operation in DE

https://infosec.exchange/@jarednaude/111660218766940579
Possible vulnerabilities related to cyber and
physical attacks in grid-connected PV plants

Vulnerability: Diverse deployment

(large plants, homes) creates
complex systems with more attack
points.

Cyberattacks: DoS/DDoS, Data

Tampering (False Injection, Replay),
Man-in-the-Middle

Consequences: Disrupted
communication, power fluctuations,
grid instability, equipment damage.

Defense: Intrusion detection,

secure protocols, monitoring,
advanced threat detection, fault
detection/response.
 Inverters' remote funtions:
• Fetch energy and power data
• Switch on/off, change
parameters
• Remote maintenance
• Firmware Update

• A malicious actor could modify the system

software of devices and send it to all users
via the manufacturer's cloud.

• The software can cause devices to start

drawing more power or shut down at a
certain time, which can lead to network
overload/ infrastructure damage and
blackout.

• Failure of devices can also result in

financial losses for users.
- The researcher reported the problem to the
manufacturer and the German security
service, but initially received no response.

- There is open source software that may be

more secure than the original manufacturer's
software.
Be informed, be vigilant, be secure.
Thank you for your attention!