Sprint 1.5 NETWORK AND SECURITY

Learning Objectives

●explore about the Mirai attack ;

●differentiate between different types of malware ;

●understand the importance and need of cyber security.

2

Outline

●Understand the role of Network and Security and explore how cyber-attacks happen, and
the safety measures you can take to prevent them.

3

Case study: The Mirai attack

7

Case study: The Mirai attack

8

A cyber-attack is an attempt to gain access to or retrieve information from devices belonging
to an individual or an organization without their consent. The Mirai attack refers to the
massive cyber attack launched by hackers in 2016. Mirai bots specifically targeted and used
Internet of Things ( IoT ) devices such as routers, IP cameras, smart appliances, and so on.

They took control of these IoT devices to create fake requests to the websites or servers to
slow down or crash. Since the request came from different devices with different IP addresses,
the server found it difficult to distinguish between a genuine user and the Mirai bots.

These kinds of attacks were named DDoS (Distributed Denial of Service) attacks. One of the
major attacks targeted the Domain Name System (DNS) provider Dyn, which resulted in
disruptions for major websites like Twitter, Netflix, and Reddit.

This is a great case study to understand the potential dangers associated with the rapid
growth of IoT devices and the various techniques employed by hackers to threaten
cybersecurity.

Let's explore the various strategies employed by the Mirai attack.

9

Why is Mirai significant?

Mirai is considered a significant event in the history of cyberattacks for several reasons:

●The Mirai attack was one of the largest DDoS attacks ever recorded. It reached a peak
traffic volume of over 1.2 terabytes per second.

●The attack affected a wide range of popular websites, including Twitter, Netflix, and
Amazon, causing significant disruption to online services.

●Mirai marked a turning point in cybersecurity, as it was the first major attack to exploit
the vulnerabilities of IoT devices on a massive scale.

11

Why did Mirai use IoT devices?

12

Why did Mirai use IoT devices?

13

Most of the previous DDoS attacks were launched using bots infected on the computers.
However, the Mirai bots specifically targeted Internet of Things ( IoT ) devices such as routers,
IP cameras, smart appliances, and so on. The following are the key reasons for that:

- IoT devices are often cheap, mass-produced, and lack strong security controls or updates.

- Most of the smart appliances with IoT are always connected to power.

- They have weaker securities and vulnerabilities that make it easy to launch the bots in them.
Mirai took advantage of weak default passwords and vulnerabilities in these devices to spread
malware and gain control of hundreds of thousands of IoT devices.

Denial of Service attack

14

Denial of Service attack

15

What if you receive over 500 messages at once, causing your phone to freeze or stop working
temporarily? It may be a Denial of Service (DoS) attack.

A DoS attack occurs when an attacker overwhelms a server, website, or network with massive
traffic, rendering the service unavailable. This can cause substantial damage and system
downtime by making it unresponsive to user requests. Typically, these attacks involve high
volumes of requests from multiple sources.

Distributed Denial of Service (DDoS) attack

A Distributed Denial of Service ( DDoS ) attack uses thousands of compromised computers or
devices, called "bots," to flood a server or website with bad traffic. Cybercriminals infect
devices with these bots through various malware attacks. These networks of bad bots are
called botnets.

During a DDoS attack, the hacker tells the infected bots to send a huge amount of traffic at
once to a particular website or server. This overloads the target computer and makes it hard to
get to the site or service. Denial of Service (DoS) attacks usually come from a single source and
are easier to defend as only a few IP addresses are involved. But blocking DDoS attacks is
much more challenging. Different bots in the botnet send traffic from different places, which
makes it hard to filter out bad traffic and stop it based on IP addresses.

16

The main objective of the Mirai malware was to launch DDoS attacks. It did this by infecting
IoT devices and using them to send massive amounts of traffic to targeted servers till they
became unresponsive. This caused significant financial losses and user inconvenience.

The Mirai malware targeted IoT devices with weak security configurations , specifically
those with default usernames and passwords. Once the malware gained access to a device, it
infected the system, allowing the attackers to remotely control the device and add it to the
botnet.

17

How Mirai gained access to the IoT Devices?

Imagine receiving a message resembling one from an e-commerce site or your bank, urging
you to click a link for a prize, discount, or loan. Upon clicking, you're directed to an irrelevant
or fake website, where malware is injected into your device, or you're asked to provide
sensitive information. This is a phishing attack.

Why the Mirai attack?

Don’t you wonder how cyber criminals benefit from cyber attacks such as the Mirai attack?
The creators of the Mirai attack ran a company that offered services to prevent DDoS attacks.
They sold their services to the very organizations that they attacked with the Mirai botnets.
This way, they benefited financially.

However, the attackers were later identified and faced legal action.

18

What do we learn from the Mirai Attack?

The Mirai attack offers several important lessons in cyber security.

●It is important to keep the IoT devices updated and secure with strong authentication.

●It throws light on the potential impact of coordinated DDoS attacks. Organizations
should implement robust monitoring and avoid service disruptions.

●Cyber threats are evolving. Organizations need to remain vigilant and invest in cyber
security.

●Cyber security is a shared responsibility. Manufacturers, service providers, and end users,
everyone, should take the necessary precautions for cyber security.

●There is a need for global cooperation to combat and mitigate cyber crimes.

Now, let's look at the different ways in which cyber criminals try to get access to your
computers and devices.

19

Phishing attack

Phishing attacks deceive individuals into revealing personal data through fraudulent
messages or emails that mimic legitimate sources. These attacks often use psychological
tactics like greed, urgency, and fear to persuade recipients to click links or download
attachments, leading to malware infections or stolen information.

20

Malware attack

A malware attack occurs when harmful code enters your browser from a malicious website
without your knowledge. It infiltrates your system, stealing, modifying, or destroying digital
data.

Malware types Virus: A computer virus is a type of malware that duplicates itself and
spreads through user interactions, such as opening infected files or downloading malicious
software. It can cause data corruption, system slowdowns, and disrupt normal functioning.

Worm: A worm is self-propagating malware that exploits network vulnerabilities to spread
without human intervention. It can cause network congestion, steal sensitive information,
and provide backdoor access to attackers.

21

Ransomware: Ransomware is a type of malware that restricts system access and demands
ransom payments. Examples include screen lockers, scareware, crypt ransomware, and double
extortion ransomware.

● Screen lockers: It locks the device screen, and the intruders demand some ransom amount
to unlock the screen.

● Scareware: It generates pseudo-alert messages and pop-ups that say that the system
contains malware . These are removed in exchange for a ransom amount.

● Crypt ransomware: It encrypts the data in the infected system. It demands and forces the
victim to pay ransom for the encryption key.

● Double extortion ransomware: It encrypts and exports the data. The attackers get a ransom
by selling the stolen data.

22

Spyware: Spyware is a type of malware that monitors a user's online behavior and secretly
sends private information, such as passwords and financial transactions, to a remote server. It
operates without the user's knowledge or consent.

Adware: Adware is malware that displays unwanted advertisements on the user's browser,
often leading to irrelevant websites. While not always harmful, adware can serve as an entry
point for other malware or degrade system performance.

Trojan horses: Trojan horses are malware disguised as legitimate software. Once installed,
they can perform unauthorized actions, such as deleting or modifying files, that can provide
attackers with unauthorized access to the victim's system.

Bots : The bots automate repetitive tasks. They are remote-controlled to perform hacking,
spamming, and other malicious activities. They infect multiple devices, forming a network of
devices that attackers can control. It is called a botnet.

23

Rootkits: Rootkits are a type of malware that grants attackers administrative access to the
victim's system, concealing other malware , and stealing data. They can be difficult to detect
and remove, often requiring a complete system reset and reinstallation.

Cyber threats continue to evolve and pose significant risks to individuals and organizations
alike. The Mirai attack highlights the need for robust security measures to protect these
devices from being exploited by cybercriminals.

24

What is cyber security?

25

What is cyber security?

Cyber security means protecting digital data and devices from unauthorized access for using,
modifying, or destroying it.

Digital data includes text files, images, videos, audio, database,
emails, messages, data related to social media and websites, system files, and application
data.

26

Key measures for cyber security

Regular software updates

The devices running outdated versions of applications are more vulnerable to cyber-attacks.
Updates are released with the aim of fixing pre-existing bugs and security issues. Therefore,
updating software on time not only improves efficiency but also protects devices from
possible attacks. While updating applications, we need to look for genuine updates from
trusted websites to avoid security threats.

Firewall and antivirus protection

Firewall acts as a shield that actively protects the devices from malicious attacks. This blocks
untrustworthy sources from accessing the private network. Antivirus software is another way
to protect devices from being attacked by malware . This software has a set of definitions
within its database. In case any unknown application is being installed, the antivirus restricts
it from causing harm to your computers.

27

Strong passwords and Multi-factor Authentication (MFA)

Protecting unauthorized access requires strong passwords. Ideally, strong passwords should
contain alphanumeric characters along with symbols, and the password length should be
more than ten characters with at least one uppercase character.

Another way to prevent unauthorized access is using MFA (Multi-factor Authentication).
Devices can be protected using two or more verification techniques, as stated below.

28

29

30

Data encryption and backup strategies

Encryption is encoding the data into a format that is not directly readable. This helps in
protecting data from unauthorized access. This data can be decrypted using the encryption
key. Backup strategies can also be very helpful in protecting data from intruders. Taking a
backup of data and storing it in an encrypted form can prevent data loss during a system crash
or malware attack.

Security training and awareness

The majority of cyber-attacks are caused due to lack of awareness related to possible threats
and preventive measures. Intruders can be blocked during the initial attempt if proper
preventive measures are taken. Therefore, proper training and awareness is beneficial to
avoid cyber-attacks.

Incident response and audits

Whenever we notice a security issue, we often do not know how to proceed. This gives enough
scope for the attackers to exploit the entire system successfully. To stop an attack at an initial
stage, we need to know whom we should approach and report the incident to in order to take
needful measures to protect data. The incident response plan also lists the measures to be
taken during security issues. An audit involves an examination of the reported incidents.

31

Trade-offs

32

Trade-offs

33

Security in a system is essential, but it should not affect the workflow.

Accessibility vs Security

Imagine a person, Rick, has set a multi-factor authentication to protect his device. Every time
he needs to access his device, he has to undergo all the verification steps. His work may be
affected. Similarly, if a complex password is set, he may find it difficult to remember. If a web
application has a very intricate password retrieval policy, it might be difficult for Rick to
restore his password and operate the app. Higher security levels reduce accessibility. So there
should always be a balance.

Privacy vs Monitoring

Privacy is a fundamental right that allows individuals to control their personal information
and protect themselves from potential threats. However, it can be breached if individuals and
their activities are monitored for a business or someone’s personal interest. For instance, law
enforcement agencies often use CCTV cameras in public spaces to deter crime and quickly
respond to incidents. They utilize digital surveillance tools to monitor and thwart potential
terrorist threats. But it also allows them to collect and keep private data of unsuspecting
people.

Openness vs Control

There should always be a balance between control and openness. For instance, a school may
use a web filter to block access to certain websites containing inappropriate content. While
this serves the vital purpose of keeping students safe online, it can sometimes inadvertently
block access to valuable educational resources. To strike the right balance between openness
and control, a frequent review of the security policies is essential.

34

Cost vs Security

Security comes at its own price. Everyone wants to work in a secure environment. However, is
it affordable? Some security applications and devices are costly. Hence individual users prefer
to use free versions available online, but these may not be fully functional. Even organizations
may sometimes find it difficult to get a suitable security system that does not cross their
budget.

Therefore, we need to choose a security system, depending on our needs, in order to maintain
a balance between the security and functionality of the system.

35

Activity 1

1.An attacker gets your confidential data based on the keystrokes on the device. What
types of malware do you think the attacker may have used?

36

Activity 1 - Solution

Based on the attacker obtaining confidential data through keystrokes on the device, one
possible type of malware that could have been used is a keylogger. Keyloggers are malicious
programs that capture and record keystrokes made by a user on their device, including
sensitive information such as passwords, credit card numbers, and other confidential data.
These keystrokes can then be sent to the attacker, allowing them to gain unauthorized access
to user’s information.

37

Activity 2

Mr. Jake's mobile phone screen got locked. While trying to unlock it, he noticed that there was
a demand for a ransom. What type of malware do you think the attacker used?

38

Activity 2 - Solution

Solution:

In the case of Mr. Jake's mobile phone screen being locked and a ransom demand appearing, it
is likely that the attacker used a type of malware known as ransomware. Ransomware is a
malicious software that encrypts the victim's files or locks their device, making them
inaccessible. The attacker then demands a ransom payment from the user in exchange for
decrypting the files or unlocking the device.

39

Activity 3

Mr. Rick downloaded a certain software from an unauthorized site. The software contained
malicious code but looked like legitimate software. What type of malware got injected into
Rick’s system?

40

Activity 3 - Solution

Solution:

In this case where Mr. Rick downloaded software from an unauthorized site and it contained
malicious code disguised as legitimate software, he likely fell victim to a type of malware
known as a trojan horse. Trojan horses are malware programs that appear to be harmless or
useful software, tricking users into installing them. Once installed, trojans can perform various
malicious activities, such as stealing sensitive data, or providing unauthorized access to the
attacker.

41

Challenge 1

Ms. Nora receives an email stating that she has won a prize of one million dollars. She can
claim it by clicking the given link. Analyze the situation and find the type of cyber threat Ms.
Nora is facing. What should she do to avoid damage or loss?

42

Challenge 1 - Solution

The attacker is likely tricking Ms. Nora by sharing such mail. This is a phishing attack. Phishing is a
type of cyber threat where attackers impersonate legitimate organizations or individuals to deceive
them to reveal sensitive information, such as passwords, financial details, or personal data.

Here, the purpose is to trick Ms. Nora into clicking the provided link, which may lead to a fraudulent
website designed to steal her personal information or infect her device with malware. To avoid
damage or loss, Ms. Nora should take the following preventive measures:

1.Be cautious: Be skeptical of unsolicited emails, especially those offering unexpected prizes or
rewards. It's important to approach such emails with caution and not blindly trust their claims.

2.Verify the sender: Check the sender's email address and verify if it matches the official email
address of the organization or person they claim to represent.

43

4. Avoid clicking on suspicious links: Avoid clicking on links in emails that appear suspicious,
especially if they are asking for personal information.

5. Check for signs of phishing:Look for signs of phishing in the email, such as poor grammar or
spelling mistakes, generic greetings, urgent requests for personal information, or an unusual sense
of urgency.

6. Use official channels: Instead of clicking on the link provided in the email, visit the official website
of the organization directly by typing the URL into the browser or using a trusted bookmark. This
ensures that Ms. Nora is accessing the legitimate website and reduces the risk of falling victim to
phishing.

By following these preventive measures, Ms. Nora can significantly reduce the risk of falling victim
to a phishing attack and avoid potential damage or loss of personal information.

44

Challenge 2

Analyze the cyber attack given below:

Facebook data leak (2021)

Identify the type of attack, purpose, preventive measures, and the remedial steps that were
followed after the attack. How did the intruders attack the system? What type of malware did
they use?

45

Challenge 2 - Solution

Facebook is a widely used social media platform across the globe. People share their memories
and interact with their close friends and family using this application. Private information is
often shared using this platform including family photos, events and other personal updates.
This platform is trusted by everyone. Can you imagine what would happen if facebook falls
prey to cyber-crime? This happened in the year 2021, when the world's most widely used and
highly trusted website was attacked by the intruders. This attack is named as Facebook data
leak.

Here's an analysis of the attack:

Type of attack: The attack on Facebook involved unauthorized access and extraction of a large
amount of user data.

46

Causes of the attack: the attackers exploited a vulnerability in Facebook's "View As" feature,
which allowed them to steal access tokens and gain unauthorized access to millions of user
accounts.

Purpose: The purpose of the attack was to obtain user data for various malicious activities,
such as identity theft, phishing attacks, and targeted advertising.

Impact:The cyber criminals were benefited due to this vulnerability. They got the contact
details of users and used this information to perform phishing attacks and other scams.

Preventive measures: Following the attack, Facebook took several preventive measures to
mitigate the impact and enhance security. These measures included patching the
vulnerability, invalidating the compromised access tokens, implementing additional security
protocols, and conducting security audits to identify and address any other potential
vulnerabilities.

47

Remedial steps: Facebook took following actions to address the breach:

●The View feature was disabled.

●Affected users were notified about the incident, provided guidance on securing their
accounts, and encouraged to change their passwords.

●Facebook conducted a thorough investigation to identify the scope and extent of the data
breach and cooperated with law enforcement agencies.

●Stricter security measures were implemented to prevent similar incidents in the future.

Intrusion method and malware: The primary focus was on unauthorized access and data
extraction rather than the use of specific malware. The attackers utilized the vulnerability in
the "View As" feature rather than deploying traditional malware to achieve their objectives.
This feature allowed them to steal access tokens. These access tokens are like digital keys that
authenticate users and allow them to access their accounts without repeatedly entering their
credentials. By gaining unauthorized access to these tokens, the attackers were able to
impersonate legitimate users and extract large amounts of user data.

48

Challenge 3

Research and analyze the cyberattacks given below:

NotPetya in 2017

Stuxnet in 2010

Identify the type of attack, the purpose of the attack, preventive measures, and the remedial
steps that were followed after the attack. How did the attackers attack the system? What type
of malware did they use?

49

Challenge 3 - Solution

NotPetya in 2017

NotPetya was a destructive ransomware attack that primarily targeted organizations in Ukraine. It
spread rapidly by exploiting vulnerabilities in the Windows operating system, primarily through a
compromised update for Ukrainian tax software.

Purpose of the attack: The initial objective of NotPetya was financial gain through ransom
payments. However, it soon became evident that the attack had a more destructive purpose, as the
malware was designed to irreversibly encrypt files and render the affected systems inoperable.

Remedial actions: After the NotPetya attack, affected organizations had to rebuild their systems
and restore data from backups. The incident emphasized the importance of backups, incident
response plans, and improved security practices.

50

Recommended preventive measures

●Regularly update software to address vulnerabilities.

●Implement strong authentication mechanisms, such as multi-factor authentication
(MFA).

●Maintain secure backups of critical data and regularly test the restoration process.

●Conduct security awareness training for employees to recognize and avoid phishing
emails or suspicious attachments.

Stuxnet in 2010

Stuxnet was a highly sophisticated and targeted cyberattack classified as a worm. It
specifically targeted industrial control systems (ICS) and supervisory control and data
acquisition (SCADA) systems.

51

Purpose of the attack: The primary purpose of the Stuxnet attack was to sabotage Iran's
nuclear program by targeting its uranium enrichment centrifuges. It aimed to disrupt and
destroy these centrifuges, causing significant setbacks to Iran's nuclear ambitions. It primarily
spread through infected USB drives and network shares, exploiting vulnerabilities in Windows
operating systems and Siemens Step7 software, which are commonly used in industrial control
systems. Stuxnet specifically targeted Siemens programmable logic controllers (PLCs) and
manipulated their operations to cause physical damage to the centrifuges.

Remedial actions

●Analyzing the malware to understand its capabilities and attack vectors.

●Developing and deploying patches and security updates to address vulnerabilities
exploited by Stuxnet, and enhancing security measures for critical infrastructure systems.

●Improving collaboration between the cybersecurity community, industrial organizations,
and government agencies to protect critical infrastructure.

52

Recommended preventive measures

●Apply strict access controls.

●Regular updating and patching the systems.

●Implementing intrusion detection and prevention systems.

●Conducting regular security audits.

●Raising awareness about the risks of targeted attacks.

53