Skip to content

Cybersecurity

Cybersecurity: Types of Malware

cyber-malware

What is a Malware?

A malware is any malicious code crafted by a threat actor to take control, steal valuable data, or damage a target system. There a several types of malware. Malware have evolved over the years; going from just displaying annoying and harmless messages to be a strategic digital weapon in cyber warfare. Malware used to be independent agent infecting individual endpoints but now with the internet, modern malware are stealth, self-replicating, connected in realtime, and centrally coordinated. Malware of the same type can work together in tandem toward a common goal, with each infected host expanding the attack foothold and increasing the potential damage to the organization.

Common Types of Malware

Viruses

A virus is malware that is self-replicating but must first infect a host program and be executed by a user or process.

Worms

A worm is malware that typically targets a computer network by replicating itself to spread rapidly. Unlike viruses, worms do not need to infect other programs and do not need to be executed by a user or process.

Trojan horses

A Trojan horse is malware that is disguised as a harmless program but actually gives an attacker full control and elevated privileges of an endpoint when installed. Unlike other types of malware, Trojan horses are typically not self-replicating.

Ransomware

A ransomware locks devices (locker ransomware) or encrypts data (crypto ransomware), making it inaccessible until the victim pays a ransom, typically in cryptocurrency. Reveton and LockeR are two examples of locker ransomware, while Locky, TeslaCrypt/EccKrypt, Cryptolocker, and Cryptowall are examples of crypto ransomware.

For a ransomware attack to be successful, attackers must execute the following five steps:

  • Compromise and control a system using techniques like social engineering to deliver the malware
  • Prevent access to the data by identifying and encrypting the victim's data
  • Notify the victim about the compromise, demand payment, and explain steps for making the payment in order to regain access of their data
  • Accept ransom payment in an obfuscated way using cryptocurrencies for example
  • Restore access by decrypting the victim's. The attacker provider the decryption key and instructions on how to decrypt the data. 20-30% of victims get their data back after payment of a ransom.

Anti AV

An anti-AV is malware that disables legitimately installed antivirus software on the compromised endpoint, thereby preventing automatic detection and removal of other malware.

Logic bombs

A logic bomb is malware that is triggered by a specified condition, such as a given date or a particular user account being disabled.

Backdoors

A backdoor is malware that allows an attacker to bypass authentication to gain access to a compromised system.

Rootkits

A rootkit is malware that provides privileged (root-level) access to a computer. Rootkits are installed in the BIOS of a machine, which means operating system-level security tools cannot detect them.

Bootkits

A bootkit is malware that is a kernel-mode variant of a rootkit, commonly used to attack computers that are protected by full-disk encryption.

Spyware

A spyware is malware that collect information, such as internet surfing behavior, login credentials, and financial account information on an infected endpoint. Spyware often changes browser and other software settings, and slows computer and internet speeds on an infected endpoint.

AdWare

An adware is spyware that displays annoying advertisements on an infected device, often as pop-up banners.

Conclusion

Modern malware are distributed, fault-tolerant, multifunctional, polymorphic, metamorphic, and stealth. Cryptographic ransomware attacks have surged over the past five years warrants additional consideration. Ransomware criminals often decrypt victim's data but their is no guaranty that they would. Additionally, many threat actors are now exfiltrating a copy of their victims’ valuable data before encrypting it, then selling the data on the dark web after the ransom is paid.

Interesting articles bout the same topic:

“What Percent of Ransomware Victims Recover Their Data?.” Darwin’s Data. September 27, 2023. Accessed November 12, 2024.

Cybersecurity: Types of Threat Vectors

cyber-threat

What is a Threat Vector?

A threat vector is the mean a threat actor uses to compromise a computer system. It is also called attack vector. A threat actor is someone or organization trying to gain an unauthorized access to a user's computer system.

Common Types of Threat Vectors

Social Engineering

In social engineering attacks, the threat actor manipulates the user to gain unauthorized access to information and assets. In this case, the user is the vulnerability rather than the system. The attacker exploits the user's trust or fear to accomplish their forfeiture. Their are many types of social engineering:

Phishing

Phishing attacks involve sending the user a malicious link or attachment in order to infect their device. The link/file can be sent via Email, SMS, or IM and requires the participation of the user to compromise their computer system.

Spear Phishing

Spear phishing is a phishing attack designed for a specific victims with specific information, making these attacks appear more credible and increasing their success rate.

Whaling is a type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization.

Pretexting

Pretexting is when the threat actor invents a story and convinces a user to provide access or information they shouldn't have gotten in normal circumstances. In this type of attack, threat actor often use credible tone or story to convince the user.

Piggybacking or Tailgating

Tailgating or piggybacking is when a threat actor follows an authorized person into a restricted area. An area they don't have the permission to be.

Quid pro quo

In a quid pro quo attack, the threat actor offers the user a service in exchange for access, credentials, or information. For example, Hey Sam, this is John from the IT department. I notice your internet connection is getting supper slow. Could you quickly read me the information on the router. I will stay on the line.

Malicious Websites

Threat actors can host malicious content on legitimate but compromised websites in order to infect user systems. Users who access or download the content infect their system in process.

Watering hole attacks compromise websites that are likely to be visited by a targeted victim, for example, an insurance company website that may be frequently visited by healthcare providers. The compromised website will typically infect unsuspecting visitors with malware (known as a “drive-by download”).

Snooping

Snooping is the unauthorized observation or capture of data by a threat actor for a eventual use. For example, observing a user type their password, reading user screen without their knowledge, illegally intercepting network traffic, and more.

Shoulder surfing a type of snooping. It only involves watching user type private information such as passwords.

SPAM

Spamming is the sending of unsolicited junk emails in bulk.

Conclusion

There are certainly other types of threat vectors, but for now that is what we can retain. I will keep updating this post as I progress in my cybersecurity journey.

Thank you for stopping by

CompTIA Security+: Ports and Protocols

comptia-cert

A port is a logical endpoint on a system that directs communication to a specific application or process. There 65536 ports in use. There numbers range from 0 to 65535:

  • ports 0-1023 are reserved for well-known services
  • ports 1024-49151 are reserved for registered services
  • ports 49152-65535 are reserved for dynamic use

Well-known ports

Well-known ports are associated with known protocols and services

Port 21 - FTP data - TCP

File Transfer Protocol data channel

Port 21 - FTP control - TCP

File Transfer Protocol control channel

Port 22 - SSH, SCP, SFTP - TCP

Secure Shell

Port 23 - Telnet - TCP

Teleprompt Network

Port 25 - SMTP - TCP

Simple Mail Transport Protocol

Port 53 - DNS - TCP/UDP

Domain Name System

Port 67 - DHCP - TCP

DHCP server

Port 68 - DHCP - TCP

DHCP client

Port 69 - TFTP - UDP

Trivial File Transfer Protocol

Port 80 - HTTP - TCP

HyperText Transport Protocol

Port 88 - Kerberos - TCP/UDP

Kerberos authentication protocol

Port 110 - POP3 - TCP

Post Office Protocol v3

Port 119 - NNTP - TCP

Network News Transfer

Port 123 - NTP- UDP

Network Time Protocol

Port 137 - NetBIOS name - UDP

NetBIOS

Port 138 - NetBIOS datagram - UPD

NetBIOS

Port 139 - NetBIOS session - TCP

NetBIOS

Port 143 - IMAP - TCP

Internet Message

Port 161 - SNMP - UDP

Simple Network Manageemnt Protocol

Port 161 - SNMP trap - UDP

Simple Network Manageemnt Protocol

Port 179 - BGP - TCP

Border Gateway Protocol

Port 389 - LDAP - TCP/UDP

Lightweight Directory Access Protocol

Port 443 - HTTPS - TCP

Secure HTTP

Port 445 - SMB - TCP

Server Message Block

Port 465 - SMTPS - TCP

Secure SMTP

Port 400 - ISAKMP/IKE - TCP

IPSec VPN

Port 514 - Syslog - UDP

Syslog

Port 515 - LPD - TCP

Line Printer Deamon

Port 520 - RIP - UDP

Routing Information Protocol

Port 587 - SMTP - TCP

SMTP submission

Port 636 - LDAPS - TCP

Secure LDAP

Port 989 - FTPS data - TCP

Secure FTP data

Port 990 - FTPS control - TCP

Secure FTP control

Port 993 - IMAPS - TCP

Secure IMAP

Port 995 - POP3S - TCP

Secure POP3

Registered ports

Registered ports are associated with registered applications or services by the Internet Assigned Numbers Authority (IANA). Unassigned registered ports can be used without owning.

Port 1433 - Microsoft SQL - TCP

Microsoft SQL server

Port 1521 - Orable DB - TCP

Oracle database server

Port 2049 - NFS - TCP/UDP

Port 2082 - cPanel - TCP

Web hosting control panel

Port 2083 - cPanel over SSL - TCP

Secure cPanel

Port 2086 - WHM - TCP

Web host manager

Port 2087 - WHM over SSL - TCP

Secure WHM

Port 2181 - Zookeeper - TCP

Zookeeper

Port 2483 - Oracle Database (SSL) - TCP

Oracle Database Listener over SSL

Port 2484 - Oracle Database (TCPS) - TCP

Oracle Database Secure Listener

Port 3000 - Development Web Server - TCP

Common port for development frameworks (Node.js, React, Express)

Port 3306 - MySQL - TCP

MySQL Database Server

Port 3389 - RDP - TCP

Remote Desktop Protocol (Microsoft Windows Remote Access)

Port 3690 - Subversion - TCP

Apache Subversion Version Control System

Port 4444 - Metasploit Listener - TCP

Metasploit Default Reverse Shell / Handler Port

Port 5432 - PostgreSQL - TCP

PostgreSQL Database Server

Port 5601 - Kibana - TCP

Kibana Web Interface for Elasticsearch

Port 5900 - VNC - TCP

Virtual Network Computing Remote Desktop

Port 5985 - WinRM - TCP

Windows Remote Management (HTTP)

Port 5986 - WinRM (HTTPS) - TCP

Windows Remote Management Secure

Port 6379 - Redis - TCP

Redis In-Memory Data Store

Port 6667 - IRC - TCP

Internet Relay Chat Server

Port 7001 - WebLogic - TCP

Oracle WebLogic Application Server

Port 8000 - HTTP Alternate - TCP

Alternative HTTP Port / Development Servers

Port 8008 - HTTP Proxy - TCP

Alternative HTTP / Web Proxy

Port 8080 - HTTP Proxy - TCP

Alternative HTTP Web Server / Proxy

Port 8081 - HTTP Alternate - TCP

Alternative HTTP Web Server

Port 8443 - HTTPS Alternate - TCP

Secure HTTP Alternative Port

Port 9000 - SonarQube / Development - TCP

SonarQube Code Analysis or Development Services

Port 9042 - Cassandra - TCP

Apache Cassandra NoSQL Database

Port 9092 - Kafka - TCP

Apache Kafka Messaging Broker

Port 9200 - Elasticsearch - TCP

Elasticsearch REST API

Port 9418 - Git - TCP

Git Native Protocol

Port 27017 - MongoDB - TCP

MongoDB NoSQL Database Server

Important ports

The following ports are worth memorizing in regard to their importance to networking and security:

21 – FTP

22 – SSH

23 – Telnet

25 – SMTP

53 – DNS

80 – HTTP

110 – POP3

143 – IMAP

443 – HTTPS

445 – SMB

3389 – RDP

3306 – MySQL

5432 – PostgreSQL

CompTIA Security+: Encryption

comptia-cert

Encryption in General

Encryption is the technique of transformation information into an unreadable format to hide the meaning from unauthorized recipients. The information resulting from the encryption process is called ciphertext, the original text is called plain text, and the algorithm used to perform the encryption and decryption is called cypher. There many ways we can encrypt data:

Symmetric Encryption

In symmetric encryption, a single key is used to encrypt and decrypt the data. It is referred to as private key cryptography.

Block Ciphers

Data Encryption Standard - DES
  • 64-bit blocks
  • 56-bit key
  • Considered insured
3DES
  • Modified DES
  • Applies DES 3 times
  • Uses three different 56-bit keys to encrypt, decrypt, and encrypt again
  • More secured than DES
International Data Encryption Algorithm - IDEA
  • 64-bit blocks
  • 128-bit key
  • Not widely used
  • Known to be used in PGP
  • Still not powerful enough
Advanced Encryption Standars - AES
  • 128, 192, or 256-bit blocks
  • 128, 192, or 256-bit key matching the block size
  • Widely used for symmetric encryption
Blowfish
  • 64-bit blocks
  • Variable length encryption key (32-bits to 448-bits)
  • Replacement for DES
  • Not widely used
  • Open-source
Towfish
  • A variant of Blowfish
  • 128-bit blocks
  • 128, 192, ir 256-bit key
  • Open-source
Rivest Cipher 5 - RC5
  • Variable block size
  • Created by Ron Rivest
  • Uses a variable length key (0-bits to 204-bits)
Rivest Cipher 6 - RC6
  • 128-bit blocks
  • 128, 192, or 256-bit key
  • Introduced as a replacement for DES

Stream Ciphers

Rivest Cipher 4 - RC4
  • Created by Ron Rivest
  • Uses a variable length key (40-bits to 2048-bits)
  • Used in SSL and WEP
  • Considered insecure
ChaCha20
  • 256-bit key
  • More secure than RC4
  • Widely used in TLS and secure messaging

Asymmetric Encryption

In Asymmetric encryption, two different keys are a used: one to encrypt and the other to decrypt the data. It is referred to as public key cryptography.

Diffie-Hellman - DH

  • Used securely exchange keys over an unsecure network
  • Succeptible to a on-path attack

Rivest-Shamir-Adleman - RSA

  • 1024-bit to 4096-bit key
  • Based on the difficulty of integer factorization

Elliptic Curve Cryptography - ECC

  • Popular in mobile devices
  • Based on Elliptic Curve Discrete Logarithm Problem to defines keys
  • More efficient than RSA

CompTIA Security+: Introduction

comptia-cert

CompTIA Security+ is an intermediate level certification for IT professional and an entry level certification for cyber security. It assesses the candidate ability to

  • Asses the security posture of and enterprise environment
  • Recommend and implement appropriate security solutions
  • Monitor and secure hybrid compute environments
  • Identify, analyze, and respond to security events
  • Assessing their understanding of governance, risk, and compliance

CompTIA Security+ Domains

Domain 1: General Security Concepts - 12%

* Compare and contrast various types of security controls
* Summarize fundamental security concepts
* Explain the importance of change management processes and the impact to security
* Explain the importance of using appropriate cryptographic solutions

Domain 2: Threats, Vulnerabilities, and Mitigations - 22%

* Compare and contrast common threat actors and motivations
* Explain common threat vectors and attack surfaces
* Explain various types of vulnerabilities
* Given a scenario, analyze indicators of malicious activity
* Explain the purpose of mitigation techniques used to secure the enterprise

Domain 3: Security Architecture - 18%

* Compare and contrast security implications of different architecture models
* Given a scenario, apply security principles to secure enterprise infrastructure
* Compare and contrast concepts and strategies to protect data
* Explain the importance of resilience and recovery in security architecture

Domain 4: Security Operations - 22%

* Given a scenario, apply common security techniques to computing resources
* Explain the security implications of proper hardware, software, and data asset management
* Explain various activities associated with vulnerability management
* Explain security alerting and monitoring concepts and tools
* Given a scenario, modify enterprise capabilities to enhance security
* Given a scenario, implement and maintain identity and access management
* Explain appropriate incident response activities
* Given a scenario, use data sources to support an investigation

Domain 5: Security Program Management and Oversight - 20%

* Summarize elements of effective security governance
* Explain elements of the risk management process
* Explain the processes associated with third-party risk assessment and management
* Summarize elements of effective security compliance
* Explain types and purposes of audits and assessments
* Given a scenario, implement security awareness practices

Read more about CompTIA Security+ certification here https://www.comptia.org/en-us/certifications/security/