Answer Description

In a watering hole attack the attacker infects a website that is known to be commonly used by an organisation or industry. For example a specific industry news site to attack a business in that industry or the entire industry in general. With the knowledge that users frequent the website the attackers are able to target them with malware and if the attack is successful to install malicious software.

Wikipedia

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Answer Description

A Man in the Browser (MitB is a type of man in the middle (MitM) attack using a Trojan Horse to infect the victim's computer. Once installed the trojan will use attempt to use known vulnerabilities in a browser's executable to intercept or modify web traffic. A successful MiTB can occur even with SSL/TLS and without the web application being aware of the attack.

Wikipedia

Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.A related, simpler attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a 2014 survey considered MitB to be the greatest threat to online banking.

Answer Description

This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.

Wikipedia

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This record marks a 229% increase over this same time frame in 2017. In June 2014, vendor McAfee released data showing that it had collected more than double the number of ransomware samples that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US$3 million before it was taken down by authorities,

Answer Description

Infrared is the only option that uses light as a communication medium. 802.11 (the standard for WLAN), Near Field Communication (NFC) & Bluetooth all use Radio Frequencies. Infrared is best for the type of device in the question as it requires line of sight to operate. When LOS is broken the device will register a person in the entrance.

Wikipedia

Infrared (sometimes called infrared light and IR) is electromagnetic radiation (EMR) with wavelengths longer than those of visible light and shorter than radio waves. It is therefore invisible to the human eye. IR is generally understood to encompass wavelengths from around 1 millimeter (300 GHz) to the nominal red edge of the visible spectrum, around 700 nanometers (430 THz). IR is commonly divided between longer wavelength thermal infrared that is emitted from terrestrial sources and shorter wavelength near-infrared that is part of the solar spectrum. Longer IR wavelengths (30 μm-100 μm) are sometimes included as part of the terahertz radiation range. Almost all black-body radiation from objects near room temperature is at infrared wavelengths. As a form of electromagnetic radiation, IR propagates energy and momentum, exerts radiation pressure, and has properties corresponding to both those of a wave and of a particle, the photon. It was long known that fires emit invisible heat; in 1681 the pioneering experimenter Edme Mariotte showed that glass, though transparent to sunlight, obstructed radiant heat. In 1800 the astronomer Sir William Herschel discovered that infrared radiation is a type of invisible radiation in the spectrum lower in energy than red light, by means of its effect on a thermometer. Slightly more than half of the energy from the Sun was eventually found, through Herschel's studies, to arrive on Earth in the form of infrared. The balance between absorbed and emitted infrared radiation has an important effect on Earth's climate. Infrared radiation is emitted or absorbed by molecules when changing rotational-vibrational

Answer Description

The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory act in the United States that sets requirements for companies that store sensitive health data. It applies to hospitals, insurance companies, etc. as well as any companies that store health related data in HR systems (one example could be if an employee in a warehouse cannot lift above a certain weight).

Wikipedia

The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends, or other individuals not a part of a covered entity. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.

Answer Description

This is a Structured Query Language (SQL) injection. SQL is a standard language for relational database management. It's common for an application to take data from a user, create a SQL script and pass this to the underlying database. When an application has a SQL injection vulnerability the application is not validating user input to check for SQL. This allows a malicious user to send SQL commands through the application and into the database for execution.

Wikipedia

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented NoSQL databases can also be affected by this security vulnerability. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.

Answer Description

The programmer created a backdoor into the application to grant themselves access later on. The backdoor allowed them a way to bypass the applications usual authentication measures. A backdoor could also be setup by a malicious application, but in this case was the work of a lazy programmer than new he would be fired soon.

Wikipedia

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus computer" —a tiny computer-within-a-computer such as that found in Intel's AMT technology). Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks. A backdoor may take the form of a hidden part of a program, a separate program (e.g. Back Orifice may subvert the system through a rootkit), code in the firmware of the hardware, or parts of an operating system such as Windows. Trojan horses can be used to create vulnerabilities in a device. A Trojan horse may appear to be an entirely legitimate program, but when executed, it triggers an activity that may install a backdoor. Although some are secretly installed, other backdoors are deliberate and widely known. These kinds of backdoors have "legitimate" uses such as providing the manufacturer with a way to restore user passwords. Many systems that store information within the cloud fail to create accurate security measures. If many systems are connected within the cloud, hackers can gain access to all other platforms through the most vulnerable system. Default passwords (or other default credentials) can function as backdoors if they are not changed

Answer Description

Gran' was a victim of a voice phishing or vishing attack. This is the term used when an attacker contacts the victim via phone and attempts to steal personal information or by tricking the user to install malware on their computer. They may claim to be from a valid tech support company or vendor such as Microsoft or as a bill collector from a local utility company or anything in between.

Wikipedia

Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.Bank account data is not the only sensitive information being targeted. Fraudsters sometimes

Answer Description

The attack described in the question is an Amplification attack using the DNS protocol. Amplification attacks are done by sending small requests to servers that will receive large responses. Add a spoofed IP to the mix and an attacker can send huge numbers of the requests (because they are small) which will result in large responses being sent to the victim. This is a type of DDOS attack. DNS and NTP are common protocols used to conduct an amplification attack.

Answer Description

The installation of an unauthorized wireless router or access point is known as a Rogue Access Point or Rogue AP. A Rogue AP could be an attack or simply an employee breaking policy and setting up a wireless AP without permission. This is dangerous as the wireless device (without proper configuration) would allow outside devices onto the network and would be the equivalent of gaining physical access to the network.

Wikipedia

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

Answer Description

This type of penetration test is known as a black box test. In this scenario the tests have little to no information on how the website works. For example they are not given the type of web server or access to the source code. Instead the 'attackers' will have to gather information and test different attack methods to see what works and what doesn't.

Wikipedia

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance. It is sometimes referred to as specification-based testing.

Answer Description

'deny tcp any server tcp 80' will deny all tcp traffic to any server on port 80.

Wikipedia

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object) An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation For instance, if a file object has an ACL that contains (Alice: read,write Bob: read), this would give Alice permission to read and write the file and only give Bob permission to read it

Answer Description

The malware found is a Keylogger. It records the input typed by the user and in this case recorded user account credentials (username and password). Situations like this are common when companies allow Bring Your Own Device (BYOD) as network administrators have very limited control over devices not owned by the company.

Wikipedia

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information.Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist, ranging from hardware and software-based approaches to acoustic cryptanalysis.

Answer Description

Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.

Wikipedia

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack, as simply attempting to block a single source is insufficient because there are multiple sources.A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade and losing the business money. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and hacktivism can motivate these attacks.

Answer Description

The attack described is called a Replay or Playback attack. The attacker is able to eavesdrop on network data (through some other method) and is resending the collected network data to gain access to confidential data or to hijack a users session. Aside from ensuring network data is not intercepted, the easiest way to defend against a replay attack is to use encrypted connections (e.g. HTTPS for a website).

Wikipedia

A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run."

Answer Description

A credentialed vulnerability scan was done. While the other answers could also be correct (e.g. it could have been an intrusive and credentialed scan) but with the information given in the question you could not know this. When a credentialed scan is used the scanner has valid user credentials while in a non-credentialed attack they do not.

Answer Description

A SYN Flood sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections. By doing so the server will not be able to respond to valid traffic from normal users - thus resulting in a Denial of Service (DOS).

Wikipedia

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.The packet that the attacker sends is the SYN packet, a part of TCP's three-way handshake used to establish a connection.

Answer Description

Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.

Wikipedia

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain.

Answer Description

As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.

Answer Description

This type of attack is known as an Evil Twin. The attacker sets up a wireless access point in the hopes of tricking users to use it instead of the valid one (for example by giving it the same or similar SSID). Users that fall for the trick may expose sensitive information like passwords by using evil twin access point.

Wikipedia

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there.