Information Technology Security & Privacy (COSC 3796)

School of Computer Science and Technology

Algoma University, Sault Ste. Marie
Fall 2024

TITLE: THREATS AND ATTACKS ON ENDPOINTS

LECTURE NO. 3

INSTRUCTOR: DR. MUHAMMAD AZAM

 Module
Objectives
 1.Identify the different
types of attacks using
malware

 2. Define application
attacks

 3. Explain how threat actors
use application attacks

 4. Define adversarial
artificial intelligence attacks
  Malware is software that enters a computer system
without the user’s knowledge or consent and then
performs an unwanted and harmful action
 Malware is most often used as the general term that
refers to a wide variety of damaging software programs
 Malware is continually evolving to avoid detection by
improved security measures
 One attempt at classifying the diverse types of
Attacks Using malware can be to examine the primary action that the
Malware malware performs:
 Imprison
 Launch
 Snoop
 Deceive
 Evade
  Some types of malware attempt to take away the
freedom of the user to do what they want
 Types of malware that imprisons are ransomware and
crypto malware
 Ransomware

Imprison  Ransomware prevents a user’s endpoint device from

properly and fully functioning until a fee is paid
 Some ransomware pretends to come from a law
enforcement agency while others pretend to come from
a software vendor and displays a fictitious warning that
a license has expired
Imprison
  Crypto malware
 Cryptomalware is a type of malware that imprisons
users and encrypts all files on the device so that none of
them can be opened

Cryptomalware  The cost for the key to unlock the cryptomalware

increases every few hours or days
 New variants of cryptomalware encrypt all files on any
network or attached device connected to that computer
Cryptomalware
  Malware that infects a computer to launch attacks on
other computers includes a virus, worm, and bot
 Virus
 There are two types of viruses: a file-based virus and a
fileless virus
 A file-based virus is malicious code that is attached to a
file that reproduces itself on the same computer without
Launch any human intervention
 An armored file-based virus goes to great lengths to
avoid detection
 Techniques include split infection and mutation

 The virus first unloads a payload to perform a malicious

action, then the virus replicates itself by inserting its
code into another file (on the same computer)
  A fileless virus does not attach itself to a file but
instead takes advantage of native services and
processes that are part of the OS to avoid detection
and carry out its attacks
 It does not infect a file, instead the code is loaded
directly in the computer’s random access memory
(RAM)
 Advantages of a fileless virus over a file-based virus:
Launch
 Easy to infect
 Extensive control
 Persistent
 Difficult to detect
 Difficult to defend against
  Worm
 A worm is a malicious program that uses a computer
network to replicate (sometimes called a network virus)
 Designed to enter a computer through the network and
then take advantage of a vulnerability in an application
or an OS on the host computer
Launch  Today’s worms can leave behind a payload on the
systems they infect and cause harm, much like a virus
 Actions that worms have performed include deleting
files on the computer or allowing the computer to be
remotely controlled by an attacker
  Bot
 Another type of malware allows the infected computer
to be placed under the remote control of an attacker for
the purpose of launching attacks
 The infected robot computer is known as a bot or
zombie
Launch  When hundreds, thousands, or even millions of bot
computers are gathered into a logical computer network,
they create a botnet under the control of a bot herder
 Infected bot computers receive instructions through a
command and control (C&C) structure from the bot
herders
  Two common types of snooping malware are spyware
and keyloggers
 Spyware
 Spyware is tracking software that is deployed without
the consent or control of the user

 Keylogger
Snoop  A keylogger silently captures and stores each keystroke
that a user types on the computer’s keyboard
 The threat actor can then search the captured text for
any useful information such as passwords, credit card
numbers, or personal information
 A keylogger can be a software program or a small
hardware device
Snoop
  Some malware attempts to deceive the user and hide
its true intentions
 Examples include potentially unwanted programs
(PUPs), Trojans, and remote access Trojans (RATs)
 Potentially Unwanted Program (PUP)

Deceive  A PUP is software that the user does not want on their
computer
 Examples of PUPs:
 Advertising that obstructs content or interferes with web
browsing, pop-up windows, pop-under windows, search
engine hijacking, home page hijacking, etc
  Trojan
 A computer Trojan is an executable program that
masquerades as performing a benign activity but also
does something malicious
 Remote Access Trojan (RAT)

Decieve  A RAT has the basic functionality of a Trojan but also

gives the threat agent unauthorized remote access to the
victim’s computer by using specially configured
communication protocols
 This creates an opening to the victim’s computer
allowing the threat agent unrestricted access
  This category of malware attempts to help malware,
or attacks evade detection
 Includes backdoor, logic bomb, and rootkit
 Backdoor
 A backdoor gives access to a computer, program, or
service that circumvents any normal security
protections
 Logic bomb
Evade  A logic bomb is computer code that is typically added
to a legitimate program but lies dormant and evades
detection until a specific logical event triggers it
 Rootkits
 A rootkit is malware that can hide its presence and the
presence of other malware on the computer
 It does this by accessing “lower layers” of the OS to make
alterations
  Another category of attacks look for vulnerabilities in
applications or manipulate applications in order to
compromise them

Application  Common targets of attackers using application attacks

are Internet web server

Attacks  A web server provides services that are implemented

as “web applications” through software applications
running on the server
  In a cross-site scripting (XSS) attack, a website that
accepts user input without validating it and uses that
input in a response can be exploited

Scripting  An attacker can take advantage in an XSS attack by

tricking a valid website into feeding a malicious script
to another user’s web browser
  Attacks called injections introduce new input to
exploit a vulnerability
 One of the most common injection attacks (SQL
injection) inserts statements to manipulate a database
server
 SQL stands for Structured Query Language
Injection  SQL injection targets SQL servers by introducing
malicious commands into them
 By entering crafted SQL statements as user input,
information from the database can be extracted or the
existing can be manipulated
  Request forgery is a request that has been fabricated
 There are two types of request forgeries:
 Cross-site request forgery (CSFR) and a server-site
request forgery (SSRF)

 Cross-Site Request Forgery (CSRF)

 CSRF takes advantage of an authentication “token” that
Request Forgery a website sends to a user’s web browser
 If a user is currently authenticated on a website and is
then tricked into loading another webpage, the new page
inherits the identity and privileges of the victim, who
may the perform an undesired function on the attacker’s
behalf
Request Forgery
  Server-Site Request Forgery (SSRF)
 An SSRF takes advantage of a trusting relationship
between web servers
 SSRF attacks exploit how a web server processes
external information received from another server
 Some web applications are designed to read
Request forgery information from or write information to a specific
URL
 If an attacker can modify that target URL, they can
potentially extract sensitive information from the
application or inject untrusted input into it
  Replay attacks are commonly used against digital
identities
 After intercepting and copying data, the threat actor
retransmits selected and edited portions of the copied
communications later to impersonate the legitimate
Replay user
 Many digital identity replay attacks are between a
user and an authentication server
  Other attacks are directly focused on vulnerabilities in
the software applications
 These include:
 Exploiting memory vulnerabilities
 Improper exception and error handling
 External software components
Attacks on  Memory Vulnerabilities
Software  Some memory-related attacks are called resource
exhaustion attacks because they “deplete” parts of
memory and thus interfere with the normal operation of
the program in RAM
 Other memory-related attacks attempt to manipulate
memory contents such as buffer overflow attacks and
integer overflow attacks
  Memory Vulnerabilities (continued)
 A buffer overflow attack occurs when a process
attempts to store data in RAM beyond the boundaries of
a fixed-length storage buffer
 This extra data overflows into the adjacent memory
locations
 In an integer overflow attack, an attacker changes the
value of a variable to something outside the range that
the programmer had intended by using an integer
overflow
Attacks on  Improper Exception Handling
 Some attacks are the result of poor coding on the part
Software of software developers
 Software that allows the user to enter data but has
improper input handling features does not filter or
validate user input to prevent a malicious action
 Another improper exception handling situation is a
NULL pointer/object dereference
 When an application dereferences a pointer that has a
value of NULL, it typically will cause a program to crash
or exit
  Attacks on External Software Components
 In addition to attacking the software directly, threat
actors also target external software components

Attacks on  These include the following:

 Application program interface (API)
Software  Device driver
 Dynamic-link library (DLL)
  Cybersecurity is using artificial intelligence to enhance the
detection of malicious behavior and advanced threats
 However, there are significant vulnerabilities and risks with using
these new tools
Adversarial  Understanding them includes:
Artificial  Knowing what the tools are and what they can do

Intelligence  How these tools are used in cybersecurity

 Knowing their potential risks
Attacks
  The definitions of AI vary, but AI may be defined as
technology that imitates human abilities
What Are Artificial  A recognized subset of AI is machine learning (ML)
Intelligence (AI)  ML is defined as “teaching” a technology device to “learn”
by itself without the continual instructions of a computer
and Machine programmer


Learning (ML)? ML also involves learning through repeated experience
 If something attempted does not work, then it determines
how it could be changed to make it work
  Cybersecurity AI allows organizations to detect, predict,
and respond to cyberthreats in real time using ML
 Virtually all email systems use some type of AI to block
phishing attacks
 The prime advantages of using AI to combat threats are
continual learning and greater speed in response
Uses in  AI can predict and prevent future attacks
Cybersecurity  About one in five organizations used cybersecurity AI
before 2022
 Increasing to two out of three organizations planning to
deploy it by the end of 2025
 Uses in
Cybersecurity

Fig 3: How AI Cybersecurity is Used

 Risks associated with using AI and ML are called adversarial
artificial intelligence
The first risk is the security of ML algorithms
These could be attacked and compromised, allowing threat
Risks in Using AI
actors to alter algorithms to ignore attacks
and ML in Another risk is tainted training data for machine learning
Cybersecurity Attackers can attempt to alter the training data that is used
by ML in order to produce false negatives to cloak
themselves
 References

Some Contents were derived from the following Text.

 CompTIA Security + Guide to Network Security Fundamentals, 7th Edition

 Principles of Information Security , 7th Edition (Michael E. Whitman; Herbert J. Mattord)

 Ukeje, N., Gutierrez, J., & Petrova, K. (2024). Information security and privacy challenges of cloud
computing for government adoption: a systematic review. International Journal of Information Security, 1-
17.
 Ali, A. S., Zaaba, Z. F., & Singh, M. M. (2024). The rise of “security and privacy”: bibliometric analysis of
computer privacy research. International Journal of Information Security, 23(2), 863-885.
 Farayola, O. A., Olorunfemi, O. L., & Shoetan, P. O. (2024). Data privacy and security in IT: a review of
techniques and challenges. Computer Science & IT Research Journal, 5(3), 606-615.