Analyzing Cyber-Attacks: Case Studies of Five Organizations

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
The Five Organizations/Companies that Experienced Cyber- attacks

Agenda
In our increasingly digital and connected world, cybersecurity
has never been more important. From the moment we wake up,
we engage with the internet, which has become an integral part
of our daily lives.
While the internet offers countless benefits, it also exposes us to
significant risks that we must be aware of. As security
professionals, it is our duty to understand these risks, recognize
the various types of cyber attacks, and implement measures to
secure valuable data.

Agenda
The main agenda of this presentation is to explore different cyber attacks, understand
the methodologies and tools used, and discuss effective prevention measures. By
analyzing these incidents, we aim to:
• Identify Weaknesses: Understanding the vulnerabilities exploited by attackers
allows us to recognize the gaps in our current security posture.
• Anticipate Future Threats: Analyzing past attacks helps us foresee potential future
threats and prepare accordingly.
• Strengthen Defenses: By learning from real-world examples, we can enhance our
security strategies to protect against similar attacks in the future.
Ultimately, this knowledge empowers us to build robust defenses, safeguarding our
digital lives against the ever-evolving threat landscape.

WannaCry Ransomware Attack 2017
Introduction
A global Ransomware attack that spread rapidly in may 2017, affecting over 200,000 computers in 150 countries. Ransomware is
currently a key threat to internet users. It is a Malicious Software(Malware) that prevents users from accessing or limits access to
the system or files either by locking the screen or by encrypting files until a ransom is paid.
• What is WannaCry?
WannaCry is a type of ransomware that encrypt files on infected computers and demands a ransom payment in Bitcoin for
decryption.
• Key Features:
Exploited Windows SMB vulnerability(Eternal Blue)
Spread autonomously between computers without user interaction.

• How WannaCry Worked?
EternalBlue
SMB Protocol Vulnerability, used to
gain access to vulnerable systems.
SMB protocol
Propagated to other systems
automatically
Ransom AES-128 and RSA-
2048 algorithms
Files in the affected systems are
encrypted

Display window after the Attack :
DoublePulsar
Backdoor installed after exploiting EternalBlue.
Grants a high level control to the computer system.
Kill Switch
A domain check used as a kill switch was accidentally
triggered, slowing the attack.
Attacker
Shadow Brokers
Creator of the Ransomware
Developed by the U.S. National Security Agency
(NSA)

Codes/Tools or files used:
Main Executable (WannaCry.exe): The primary
executable responsible for the encryption of files and
displaying the ransom note.
DLL Files: Additional Dynamic Link Libraries
(DLLs) are loaded to handle various tasks like
encryption, spreading to other machines, and
interacting with the network.
WannaCryptor: The name of the ransomware
binary often used to describe the file used for the
encryption process.
The image is a simplified pseudocode representation
of the WannaCry ransomware workflow

Exploited Vulnerabilities
EternalBlue Vulnerability: In SMB protocol,
allowing attackers to execute arbitrary code remotely.
Outdated Systems: Windows XP operating systems
which lacked critical security updates.
Flat Network Architecture
Factors Enabling the attack
Inadequate Patch management
Outdated software and systems
Poor Network Defences
Impact of the Attack
Financial Loss
Recovery Challenges
Customer Impact
Production Stoppages
Operational Disruption
Response and Mitigation
Emergency Patches [unsupported Windows
versions]
Kill Switch Activation [Activated by Security
Researcher Marcus Hutchins]

Equifax Data Breach 2017
Introduction
It is one of the most significant and damaging cyber attacks, compromising the personal information of
millions of individuals.
Type of Attack: Data Breach via Web Application Exploitation
Data compromised: Personal Information of Approximately 147 million individuals, Credit card
Information of over 200,000 individuals and dispute documents for around 182,000 individuals were
compromised

Methodology:
Attackers Exploited a vulnerability in the Apache Struts web application framework. That flaw that
allowed attackers to execute arbitrary code on the affected servers.
CVE-2017-5638
It includes:
Initial Exploitation
Privilage Escalation
Lateral movement within the network
Data Exfilteration

Factors Enabling the Attack:
• Failure to Patch known vulnerabilities
• Weak Incident Response and security Controls
• Poor Network Segmentation and access
controls
• Negligence and Mismanagement
• Outdated and Insecure systems
• Inadequate Encryption and Data Protection
Vulnerabilities Exploited:
• Apache Struts Vulnerability
• Weak Network Segmentation
• Lack of Encryption of Sensitive Data
• Inadequate Security Monitoring

Code Used:
The Above snapshot shows the simplified example of how such attack might be structured. The Command injects a
malicious payload which allow attacker to execute arbitrary code on the vulnerable server.
Tools:
Metasploit Framework: Module automatically sends an
Exploit payload to the target application to achieve code execution.

Custom Scripts and Exploit Payloads:
Custom Script sends a malicious Content-Type header that attempts to execute code on the server. Custom scripts
enable attackers to adjust the payload and execution flow according to the target’s responses.
SQLMap (For Lateral Movement and Database Extraction):
SQLMap automates the process of detecting and exploiting SQL vulnerabilities, allowing attackers to extract
databases, tables, and sensitive information.
Privilege Excalation Tools (Mimikatz):
Attackers use Mimikatz after gaining a foothold to escalate privileges and move laterally within a network, allowing
broader access to sensitive data.
• Financial Impact
• Operational Impact
• Reputational Damage
• Regulatory and Legal Consequences

Facebook Data Breach 2019
Introduction
It is one of the most significant cyber attack that exposed millions of user records and highlighted
critical Security weakness within the organisation.
Type of Attack: Data Breach due to insecure Storage and Misconfigured Databases
Data compromised: Over 540 million records, including facebook user IDs, account names, likes,
comments and other data were exposed on unprotected Amazon Web services (AWS) Server

Methodology:
Insecure Data Storage on AWS
Insecurely Configured ASW S3 buckets used by Third-party companies to store Facebook user data.
The breach did not involve a traditional hack or intrusion but rather exposed the lack of proper data
storage and access controls by Facebook’s partners and app developers who collected user data from the
platform.
Misconfigured Databases
Two third-party app developers, Cultura Colectiva and At the Pool, stored massive amounts of
Facebook user data on publicly accessible cloud servers. These databases were left open without any
security measures, such as password protection or encryption, making the data vulnerable to exposure.

• Weak Security Controls for Third-Party Developers
• No Data Protection (Publicly Accessible Cloud
Storage)
• Negligence and Poor Risk Management
• Outdated Security Practices
• Lack of Authentication and Encryption
• Outdated and Insecure systems
• Improper Data Segmentation and access controls
• No Proper Authentication and Authorisation
• The data was not Encrypted and was open to
access Publicly

Tools and Method Used:
Automated Cloud
Scanners
AWS S3 Bucket
Misconfiguration Tools
Curl and Wget
(Command-Line Tools)
ScoutSuite and Prowler
(Cloud Security Auditing Tools)

• Financial Impact - Regulatory Scrutiny and Financial Penalties
• Operational Impact
• Reputational Damage – Loss of User Trust

Colonial Pipeline Ransomware Attack 2021
Introduction
It is one of the most significant cyber attack that disupted fuel supplies across the Eastern United States,
because of flaws in the infrastructure systems.
Type of Attack: Ransomware Attack executed by the DarkSide ransomware group
The attack led to the shutdown of the 5,500-mile pipeline, causing fuel shortages, panic buying, and
price spikes across the Eastern U.S. Colonial Pipeline paid a ransom of approximately $4.4 million in
Bitcoin to the attackers, although a portion was later recovered by the U.S. Department of Justice.

Methodology:
• Ransomware Deployment by DarkSide
• Initial Access via Compromised VPN Credentials
• Lateral Movement and Network Scanning
• Encryption and Data Exfiltration

• Weak Access Controls
• Poor Password Management
• No Multi-Factor Authentication
• Inadequate Network Segmentation
• Improper Security Monitoring
• Compromised VPN Credentials
• Lack of Multifactor authentication
• Insufficient Network Segmentation
• Vulnerable IT-OT Convergence

Web Scrapping Tools
and Libraries
API Exploitation Techniques

• Financial Impact – Ransom Payment, Economic Losses
• Operational Impact – Pipeline Shutdown, Disruption of Critical Services
• Reputational Damage – Public and Government Scrutiny
• Regulatory Consequences – The U.S government issued new cybersecurity directives
Puppeteer
Captcha Solvers and Proxy Services
Botnets and Automated Browsing
Bots
Data Aggregation and
Enrichment Tools
OpenRefine
Data Enrichment APIs

LinkedIn Data Scraping Incident 2021
Introduction
It is one of the most significant cyber attack that exposed millions of user records and highlighted
critical Security weakness within the organisation.
Type of Attack: Data Scraping
Approximately 700 million LinkedIn users had their publicly available information scraped and sold on
dark web forums. This represented around 92% of the platform’s total user base.
Data Exposed: The scraped data included users’ full names, email addresses, phone numbers, job titles,
and other publicly available details from LinkedIn profiles.

Methodology:
Attackers employed automated bots to scrape publicly accessible data from LinkedIn profiles.
They bypassed LinkedIn’s anti-scraping mechanisms, including CAPTCHAs and rate limits, by using sophisticated scraping
tools and techniques.
• Inadequate Bot Detection: LinkedIn’s existing bot detection and prevention mechanisms were insufficient to handle large-
scale scraping activities.
• Public Data Exposure: The availability of data through LinkedIn’s public interfaces made it easier for attackers to collect
and aggregate information.
• Weak Rate Limiting: Rate limiting and CAPTCHA systems were bypassed through the use of proxy networks and
distributed scraping techniques.

Web Scrapping
Tools and Libraries
Automated Data
Extraction Tools
Proxy and IP Rotation
Services

CAPTCHA Solving
Services
The attack exploited the fact that LinkedIn’s public-facing data was accessible without sufficient
protection against automated data extraction.

• Data Compromised:A dataset containing information from approximately 700 million LinkedIn
profiles was scraped and made available for sale on dark web forums. The data included personal
details such as names, job titles, and contact information.
• Financial and Reputational Impact:The incident led to reputational damage for LinkedIn and
increased awareness of data scraping risks. It prompted LinkedIn to enhance its security measures and
improve its defenses against automated data extraction.

Key Takeaways:
• Any data which is available publicly is
vulnerable to Exploitation
• Outdated software and unpatched
vulnerabilities are major Security risks
• Access Controls plays very important in
securing the data
• Weak security measures and
misconfigurations can lead to severe
breaches
• Multifactor Authentication (MFA) and
strong password policies are crucial.
• Cyber Insurance is not a substitute for
security
Understanding cyberattacks is essential
for understanding the evolving nature of
cybersecurity threats. These incidents
highlight the importance of basic
security measures, proactive threat
detection, employee training, and robust
incident response planning.
By learning from past attacks,
businesses can better protect their
assets, reduce vulnerabilities, and
enhance their overall resilience against
future cyber threats.
Conclusion

References:
• https://www.cloudflare.com/en-gb/learning/security/ransomware/wannacry-ransomware/
• https://www.researchgate.net/publication/332088162 - WannaCry Ransomware: Analysis of Infection, Persistence,
Recovery Prevention and Propagation Mechanisms
• https://www.researchgate.net/publication/337916068 - Case Study Analysis of the Equifax Data Breach 1 A Case
Study Analysis of the Equifax Data Breach
• D. O’Brien, “Ransomware 2017”, Internet Security Threat Report, Symantec, July 2017 Available:
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf
• A. Zeichnick, “Self-propagating ransomware: What the WannaCry ransomworm means for you”, May 2017.
Available: https://www.networkworld.com/article/3196993/security/self-propagating-ransomware-what-the-
wannacry-ransomworm-means-for-you.htm
• https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
• https://portswigger.net/daily-swig/cyber-attacks
• https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks
• Case Study: The Colonial Pipeline Ransomware Attack – ResearchGate
• https://www.researchgate.net/publication/383206534 - To Pay or Not to Pay- The US Colonial Pipeline
Ransomware Attack

Questions ?

Thank You!

Analyzing Cyber-Attacks: Case Studies of Five Organizations

More Related Content

What's hot (20)

Similar to Analyzing Cyber-Attacks: Case Studies of Five Organizations (20)

More from Boston Institute of Analytics (20)

Recently uploaded (20)

Analyzing Cyber-Attacks: Case Studies of Five Organizations