Top 50 Cybersecurity Threats

There have been prominent command and control attacks originating from Russia, Iran and even the U.S. These attackers can come from anywhere and everywhere — but they don’t want you to know that. 

Since communication is critical, hackers use techniques designed to hide the true nature of their correspondence. They’ll often try to log their activities for as long as possible without being detected, relying on a variety of techniques to communicate over these channels while maintaining a low profile.

Attacks can come from anywhere in the world. But because many verticals such as government, manufacturing and healthcare are deploying IoT infrastructure without proper security protections, these systems are targets for attacks by hostile nation-states and sophisticated cybercrime organizations. Unlike attacks against technology infrastructure, attacks against connected civic or healthcare systems could lead to widespread disruption, panic and human endangerment.

Ransomware has typically been the work of advanced cybercriminal groups — who remain anonymous after extorting governments or major enterprises requires technological sophistication. However, since the arrival of cryptocurrencies, which simplify anonymous transactions, the general population is at greater risk of ransomware attack.

An enormous volume of our transactions — financial and otherwise — take place online. For cybercriminals, acquiring account credentials and personal information (like social security numbers, home addresses, phone numbers, credit card numbers and other financial information) is a lucrative business, whether they choose to sell the acquired information or use it for their own gain. As such, these kinds of attacks can originate anywhere in the world.

The most basic brute force attack is a dictionary attack, where the attacker systematically works through a dictionary or wordlist — trying each and every entry until they get a hit. They’ll even augment words with symbols and numerals, or use special dictionaries with leaked and/or commonly used passwords. And if time or patience isn’t on their side, automated tools for operating dictionary attacks can make this task much faster and less cumbersome.

Thanks to the ease and simplicity of a brute force attack, hackers and cyber criminals with little-to-no technical experience can try to gain access to someone’s account. The people behind these campaigns either have enough time or computational power on their side to make it happen. 

Compromised credentials represent a huge attack vector, giving threat actors a way into computing devices, password-protected accounts and an organization’s network infrastructure with relative ease. These perpetrators are often organized, with their sights set on a specific organization or person. And they’re not always outside of the organization — they could very well be an insider threat who has some level of legitimate access to the company’s systems and data. 

Credential dumping can originate from anywhere. And because we’re all guilty of recycling passwords, that information can be sold for future attacks.

This could be a targeted attack, where the person knows the victim and wants access to their accounts for personal, professional or financial reasons. The attack could also originate from a complete stranger who bought the user’s personal information on the cybercrime underground.

Proxies mask the location of credential stuffing attackers, making it challenging to detect their location. But they can be found all over the world, especially in organized cybercrime hotspots. Often, attackers will be individual and organized hackers with access to dedicated account-checking tools and numerous proxies that prevent their IP addresses from being blocked. Less-sophisticated perpetrators may end up giving themselves away by attempting to infiltrate a large number of accounts via bots, which results in an unexpected denial-of-service-attack (DDoS) scenario.

Attackers like APT28 target government agencies, hotel booking websites, telecoms and IT companies. At a minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, enterprise or schema administrators) should be closely monitored and alerted upon, because these types of accounts should not generally be used to access information repositories. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

Network sniffing is often conducted legally by organizations like ISPs, advertising agencies, government agencies and others who need to verify network traffic.

But it can also be launched by hackers doing it for the “lulz” or nation-states looking to pilfer intellectual property. Like ransomware, network sniffers can be injected into the network by getting the right person to click on the right link. Insider threats with access to sensitive hardware could also be a vector for attack.

Because it provides attackers with hard to detect, wide access to all kinds of data privilege, user compromise is widely appealing and commonly used in cyber attacks of various kinds, whether nation-state cyber espionage motivated by political ideology or sophisticated, financially-motivated cybercrime groups like Lapsus$.

Thanks to crimeware kits that are now readily available, this type of attack can come from anyone and anywhere. But more often than not, they’ll originate from nefarious organizations looking to sell a victim’s information to a third-party.

Cookie theft is commonly accomplished through malware that copies the victim’s cookies and sends them directly to the attacker. The malware can land on the victim’s machine in any number of ways covered in this book, like phishing, macro viruses, cross-site scripting and more. Many hackers engaging in cookie theft belong to larger networks based in Russia and China. The actors behind the YouTube attack, for example, were found to have been part of a group of hackers connected via a Russian-speaking forum.

While there are numerous individual scammers pulling off business invoice fraud, many are sourced to fraud rings that have the organization and the resources to research their victim’s banking institution and create a billing experience that feels real. Fraud rings conducting invoice scams can be found all over the world.

Because cryptocurrency is a global commodity, the attacks can originate from anywhere. Instead of focusing on where the attacks come from, it’s key to monitor cloud computing instances for activities related to cryptojacking and cryptomining, such as new cloud instances that originate from previously unseen regions, users who launch an abnormally high numbers of instances, or compute instances started by previously unseen users.

There are two types of XSS attacks: stored and reflected. Stored XSS attacks occur when an injected script is stored on the server in a fixed location, like a forum post or comment. Every user that lands on the infected page will be affected by the XSS attack. In reflected XSS, the injected script is served to a user as a response to a request, like a search results page.

While XSS attacks are not as common as they once were — due primarily to improvements in browsers and security technology — they’re still prevalent enough to rank within the top ten threats listed by the Open Web Application Security Project, and the Common Vulnerabilities and Exposures database lists nearly 14,000 vulnerabilities associated with XSS attacks.

These attacks come from all over the world because cryptojacking doesn’t require significant technical skills. Cryptojacking kits are available on the deep web for as little as $30. It’s a low bar of entry for hackers that want to make a quick buck for relatively little risk. In one attack, a European bank experienced some unusual traffic patterns on its servers, slower than average night processes, and unexplained online servers — all attributed to a rogue staffer who installed a cryptomining system.

As their name implies, DDoS attacks are distributed, meaning that the incoming flood of traffic targeting the victim’s network originates from numerous sources. Thus, the hackers behind these attacks can literally be from anywhere in the world. What’s more, their distributed nature makes it impossible to stop these attacks simply by securing or blocking a single source.

IoMT attackers have the ability and resources to pinpoint healthcare providers with ambiguous security ownership, as well as poor asset or inventory visibility, and out-of-date systems and devices.

This type of attack is more sophisticated than other methods, and is usually executed by a power hacker who knows exactly what they’re doing (versus an amateur who might resort to brute force attacks). Ever stealth in their approach, they’re adept at covering their tracks, and know how to move laterally across a network.

Because improvements in security technologies have made MITM attacks more difficult to execute, the only groups attempting them are sophisticated hackers or state actors. In 2018, the Dutch police found four members of the Russian hacking group Fancy Bear parked outside of the Organization for the Prohibition of Chemical Weapons in Holland, attempting an MITM infiltration to steal employee credentials. Later that year, the U.S. and UK governments released warnings that Russian state-sponsored actors were actively targeting routers in homes and enterprises for the purpose of MITM exfiltration.

Misconfiguration isn't considered a malicious act in and of itself, but instead is mostly due to being a result of human error. However, attackers may know where to look if they suspect a lax level of configuration across a certain organization’s IT stack.

While they come from all over, many of the cybercriminals behind this attack originate where organized threat groups flourish, such as Russia, Eastern Europe and China. In 2018, a country-level watering hole attack was sourced to the Chinese threat group known as LuckyMouse” (aka Iron Tiger, ‘EmissaryPanda,” “APT 27” and “Threat Group 3390”), known for targeting government, energy and manufacturing sectors with numerous types of attacks, including watering hole assaults.

The prevalence of technology has led to explosive growth in zero-day attacks. While these attacks can ostensibly be launched from anywhere, they often are proliferated via nation-states or regions with extensive cyber underworld networks and infrastructure. Recent reports have cited that the bulk of zero day threats in 2021 were sourced to hacking groups in China. 

The rise of prepackaged drive-by download kits allows hackers of any skill level to launch these kinds of attacks. In fact, these kits can be purchased and deployed without the hacker writing their own code or establishing their own infrastructure for data exfiltration or other abuses. The ease with which these attacks can be executed means that they can come from virtually anywhere.

Just a few decades ago, a large number of phishing attacks were sourced to Nigeria in what were known as 419 scams, due to their fraud designation in the Nigerian criminal code. Today, phishing attacks originate from all over the world, with many occurring in BRIC countries (Brazil, Russia, India and China), according to the InfoSec Institute. Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the gamut from individual hackers to organized cybercriminals.

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are five common forms of digital social engineering assaults. A perpetrator first investigates the intended victim to gather the necessary background information — such as potential points of entry and weak security protocols — needed to proceed with the attack. Then, the attacker gains the victim’s trust and provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

Social engineering can take many forms and come from many sources and motivations. Most commonly, it comes in the form of phishing emails. Other forms include pretexting, where the attacker creates a good pretext to steal important data; baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials; and tailgating or piggybacking, in which an attacker gains access to a restricted area of a business by following an authenticated employee through secure doors.

Because so much of the internet is built on relational databases, SQL injection attacks are exceedingly common. Searching the Common Vulnerabilities and Exposures database for “injection” returns 15,000 results.

Supply chain attacks are large-scale, sophisticated attacks perpetrated by sophisticated threat actors, often nation-state sponsored and ideologically motivated, though financial gain is also a big motivation. 

Compromised access tokens may be used as an initial step to compromising other services. For example, if a token grants access to a victim’s primary email, the attacker may be able to extend access to all other services that the target subscribes to by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to countermeasures like changing passwords.

Mismanagement and misconfiguration of a cloud environment isn't considered a malicious act in and of itself, and as mentioned, typically occurs due to human error.

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are five common forms of digital social engineering assaults. A perpetrator first investigates the intended victim to gather the necessary background information — such as potential points of entry and weak security protocols — needed to proceed with the attack. Then, the attacker gains the victim’s trust and provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

Social engineering can take many forms and come from many sources and motivations. Most commonly, it comes in the form of phishing emails. Other forms include pretexting, where the attacker creates a good pretext to steal important data; baiting and quid pro quo, in which the attacker offers the victim something desirable in exchange for providing login credentials; and tailgating or piggybacking, in which an attacker gains access to a restricted area of a business by following an authenticated employee through secure doors.

This type of attack is more sophisticated than other methods, and is usually executed by highly organized, motivated threat groups with their sights set on a specific organization or person, and with a mind to political or financial gain.

Between the growing number of phishing attacks, increasing number of user identities and the continued growth of cloud adoption, this type of attack can come from anywhere, including third-party vendors, employees, remote workers and contractors.

What makes this particular vulnerability unique is that an attacker needs physical access to a victim’s computer in order to exploit its multiple flaws. So this attack either comes from the inside, or from hackers who have gained access to a lost or stolen laptop or computer system. Another attack scenario includes a post-malware infection that could be perpetrated by a remote adversary, but with pre-existing access to the targeted system, likely via a prior malware exploit.

Because of the diversity of services being hosted on AWS and the new types of cloud threats being spun up daily, these attacks can virtually come from anywhere and anyone.

Inside attackers can be employees in the organization with bad intentions or cyberspies impersonating contractors, third parties or remote workers. They may work autonomously, or as part of nation-states, crime rings or competing organizations. While they might also be remote third-party suppliers or contractors located all over the world, they usually have some level of legitimate access to the organization’s systems and data.

Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Attackers compromise network devices and can then obtain direct access to the company's internal infrastructure — effectively increasing the attack surface and accessing private services/data.

Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems and implement cryptographic weakened algorithms to more easily decrypt network traffic.

Simjackers are typically looking to extort victims for something of great value — like Bitcoin or other cryptocurrency wallets or high-value social media accounts — or to cause harm to their reputations, as Chuckling Squad did with Jack Dorsey. These hackers can come from anywhere in the world, and can be members of organized groups or solitary actors.

Once exploited, this vulnerability enables a credential stuffing attack, in which the bad actor acquires usernames and passwords from a variety of sources such as breached websites, phishing attacks and password dump sites. By conducting brute force attacks with the help of automated tools, the adversary tests those credentials at scale against a plethora of websites to see if any logins are successful and gain access to the site. From there, attackers have the ability to launch any number of attacks, including launching phishing or spam campaigns, accessing PII and other sensitive information, and financially draining stolen accounts.

Password spraying attacks, which are essentially brute force attacks, feed numerous usernames into an automated program that attempts to guess associated passwords. As the name implies, it relies on a “spray” technique in the hopes that one of the username/password combinations is correct. And it only takes one.

These attacks can essentially come from anywhere. While it is possible that they can be traced to sophisticated cybercrime networks, they can also be executed by less sophisticated, individual, remote hackers with access to automated tools that can conduct a copious number of brute force attacks at once.