cyber Adventura

Every now and then we encounter news that there has been cyberattacks on an organisation, some websites have been defaced, or there has been a data breach. Such news do make us wonder how that happened in the first place !! How did they break into the organisation , what were the points of entry ? We know who the attackers are as last time we wrote about the threat actors , the perpetrators who mount an attack on an organisation. But what is their target and what are their entry points to their target’s infrastructure ? Lets break it down

An attack surface refers to the potential points of vulnerability or exposure in a system or application or an infrastructure, that an attacker can target to compromise its security. It encompasses all the entry points and areas where an attacker can interact with or exploit a system. Here are some common attack surfaces:

Network Interfaces

Network interfaces, such as open ports, services, and protocols, provide entry points for attackers to communicate with a system over a network. Vulnerabilities in network protocols or misconfigurations can be exploited to gain unauthorized access or launch attacks.

The WannaCry ransomware attack , which occurred in 2017, targeted organizations worldwide, including healthcare institutions and government agencies. The attack exploited vulnerabilities in network architecture, specifically in outdated and unpatched versions of the Windows operating system.

Web Applications

Web applications are a common attack surface due to their public-facing nature. Vulnerabilities like cross-site scripting (XSS), SQL injection, and insecure authentication mechanisms can be exploited to compromise the application or steal sensitive data.

The Equifax data breach, one of the largest and most impactful breaches in history, occurred in 2017 and involved the compromise of sensitive personal information of approximately 147 million consumers in the United States.

The attackers exploited a known vulnerability in the Apache Struts web application framework, which was used by Equifax. The vulnerability, CVE-2017-5638, allowed remote code execution, providing a gateway for the attackers to infiltrate the network. The attackers gained unauthorized access to Equifax’s network through the compromised web application. They then moved laterally within the network, exploring different systems and escalating privileges to gain broader access. The attackers exfiltrated highly sensitive personal information, including names, social security numbers, birth dates, addresses, and in some cases, driver’s license numbers.

Operating Systems

The operating system (OS) of a computer or device can have vulnerabilities that attackers can exploit. Weaknesses in the OS kernel, services, or privilege escalation techniques can lead to unauthorized access or control over the system.

The NotPetya attack, which occurred in 2017, targeted numerous organisations worldwide, causing widespread disruption and financial losses. NotPetya exploited vulnerabilities in operating systems to propagate and spread.

NotPetya leveraged multiple vulnerabilities in operating systems, primarily targeting unpatched or outdated versions of Microsoft Windows.

Software and Applications

Vulnerabilities in software and applications are prime targets for attackers. Flaws in code, insufficient input validation, or insecure configurations can be exploited to execute arbitrary code, escalate privileges, or compromise data.

The Heartbleed vulnerability, discovered in April 2014, was a critical security flaw in the OpenSSL cryptographic software library, which is widely used to secure internet communications. The vulnerability allowed attackers to access sensitive information, including usernames, passwords, and private encryption keys, from servers running vulnerable versions of OpenSSL.

User Inputs

Attackers often target user inputs, such as forms, file uploads, or command-line parameters. If these inputs are not properly validated or sanitized, it can lead to injection attacks, including SQL injection, command injection, or remote code execution.

In 2015, TalkTalk, a major telecommunications company in the UK, experienced a significant data breach that exposed the personal information of millions of its customers. The attack was carried out through a SQL injection, a common form of user input-related attack, which allowed hackers to access and steal sensitive data from TalkTalk’s databases.

Mobile Devices

Mobile devices, including smartphones and tablets, are vulnerable to attacks due to their increasing usage and the sensitive data they store. Malicious apps, insecure wireless networks, or device-specific vulnerabilities can be exploited to compromise user privacy or gain unauthorized access.

In 2020, a serious vulnerability was discovered in the popular social media app TikTok, which allowed attackers to compromise user accounts and access personal information. The vulnerability was related to TikTok’s SMS login system, highlighting the importance of robust authentication mechanisms in mobile apps.

Vulnerability was discovered in TikTok’s SMS login system, which allowed attackers to exploit the app’s authorization process. The vulnerability allowed attackers to bypass the authentication mechanism and gain unauthorized access to user accounts.

Human Factor

People are the weakest link. People can inadvertently become an attack surface through social engineering techniques. Attackers manipulate or deceive individuals to obtain sensitive information, grant unauthorized access, or perform actions that compromise security.

In 2021, there was an increase in social engineering attacks targeting users of Microsoft Office 365. Attackers sent convincing phishing emails impersonating Office 365 or Microsoft support, alerting users of security issues or account problems. The emails contained malicious links that redirected users to fake login pages, where their credentials were harvested. These attacks aimed to gain unauthorized access to Office 365 accounts, potentially compromising sensitive data and expanding the attack surface within organizations.

Physical Security

Physical security measures, such as access controls, surveillance systems, or secure hardware, can also be considered part of the attack surface. Physical breaches or unauthorized access to systems can lead to direct compromise of sensitive information or further attacks.

OceanLotus (also known as APT32 or APT-C-00) is a sophisticated advanced persistent threat (APT) group believed to be associated with state-sponsored actors based in Vietnam. In 2017 and 2018, the group was found to be conducting USB drop attacks targeting various organizations, primarily in Southeast Asia.

It’s important to note that the attack surface can vary depending on the specific system, environment, or context.

Organizations must regularly assess and minimize their attack surface by implementing security best practices, patching vulnerabilities, conducting security testing, and following secure coding practices to reduce the potential avenues of exploitation for attackers.