Final Task 1

Assignment 2
Task 1

Contents
Malware VS Applications Issues
Email Investigation and Identification
of any Issues
Part A
Background
Jordan is a
junior developer who is new to the company. He works from home with very
occasional travel to the office required to attend face-to-face meetings. He
recently has been experiencing some issues with his laptop:
-
Applications
take a long time to load and often freeze during operations
-
Network
connectivity is intermittent when he’s working from home
-
Some
downloaded files do not open
Following these
issues, there may be several factors that may impact the user’s experience.
Malware
VS Applications Issues
Application
issues cause applications to freeze and/or exit with an application error.
These errors are recorded in the event log on Windows with full details of the
faulting application/module and details of the error, including an error code.
Another possibility could be related to corrupted files or accidentally deleted
folders. With such files being corrupted, basic computing processes could
encounter errors and slower processing.
A corrupted
file could occur during power outages or if an issue has occurred during the
saving of a file or unexpected program termination.
Malware
infections, on the other hand, typically operates by aiming to avoid detection
by leaving minimal traces in the system logs. Once they gain access to a device,
they often attempt to move across the network, seeking systems where they can
escalate privileges to gain a wider access the organisation network. With elevated
access, attackers could potentially download additional exploits, compromise
servers, workstations, and other assets, with room for further exploitation such
as ransomware.
Cyber Attack
Review security
alerts, firewall logs, and network traffic for unusual connections,
particularly at odd hours. Viewing log file evidence is a source of information
that highlights system activity and can be used to see if there are any errors
in log files, for example.
Determine how
access was gained, such as phishing emails, exploited vulnerabilities or
compromised credentials. Vulnerabilities scanning is a useful source of
information and can be used to verify vulnerabilities in a computer system.
Areas that a vulnerability scan could identify include open ports, unneeded
running services, poor system configurations and missing passwords.
Analyse
malware, files, and system images to find traces left by the attacker. Network
traffic analysers are used to view and monitor network activity that could
identify rogue connections, IP addresses and any abnormal traffic flow, for
example, the security section in Windows Event Viewer.
Internal
Software Problem
-
Checking
to see if the latest operating system and application software updates and
patches have been applied. Windows Update is a good source of information which
can informs us with the latest system update.
-
Uninstalling
and reinstalling the software that has been affected can be a good measurement
tool; if the issue is no longer present after the reinstall, then you found the
source of the problem
-
Viewing
Task Manager and system process information can highlight and system and
hardware issues that may have been linked to the software performance, for
example, hard drive issues, RAM problems and CPU problems.
-
Clean
the registry, delete temporary files and remove installation files. Tools like
CCleaner can be very efficient in achieving this and provide a good reporting
feature to analyse results.
-
Check
internal storage for unrecognised files and folders.
-
Check
network configuration when accessing online services and data to gauge whether
there are any unauthorised changes to the network settings. A useful command
being “ipconfig/all” for the task.
In summary, a
cyber-attack is the deliberate exploitation of a computer system and could
affect the entire system. Whereas, an internal software problem could be on a
much smaller scale, for example, one device, and the only real way to
differentiate would be through an investigation.
Network traffic
analysis using a tool such as Wireshark would capture packet data across all
network segments. In the context of Jordan's intermittent connectivity, a
network analyst would look specifically for unusual outbound connections,
particularly to unfamiliar IP addresses or at irregular hours, which could
indicate command-and-control (C2) communication from malware installed on the
device. This would distinguish a cyber-attack from a simple misconfiguration of
Jordan's home router.
To determine
whether it’s a cyber-attack or an internal software problem at the root of the
issue, the use of software will be required. After an investigation has been
undertaken, there will be normally enough evidence to make a judgment on the
root of the problem.
Types
of Attacks
The current
issue is most likely malware, such as virus, Trojan, or a Worm, because these
types of infections are associated with issues such as applications running
slower that they should be, programs freezing and not responding, and
occasionally files are not opening, all of which are faced by Jordan. However, additional
attack vectors such as MITM, phishing, and XSS are other plausible attack
vectors that could put Linkchain Gaming under threat.
Virus:
A virus
attaches itself to legitimate executable files or documents, and
self-replicates when those files are executed. It then spreads through the
network or shared storage, often corrupting data and consuming system resources
as it replicates. This directly explains file corruption and applications
slowing down as mentioned by Jordan. It is also mentioned that Jordan often
receives emails from colleagues and his line manager which contain attachments.
He then directly downloads them onto his computer. This is a primary risk to
malware infection, while common functional issues such as file corruption are
then introduced.
Trojan:
A Trojan horse
disguises itself as legitimate or useful software, often arriving bundled with
freeware and malicious attachments. Once installed, it executes malicious code
in the background, potentially opening a backdoor for remote access, stealing
credentials, or even downloading further malware. It does not self-replicate
but relies on social engineering to achieve installation. It is important for
Jordan to carefully filter through his emails making sure that common read
flags of phishing emails are been checked. These include poor spelling/grammar,
and suspicious links and attachment. It is important to check the sender’s
address to make sure that its legitimate and from a trusted source.
Worm:
A worm is a
self-replicating malware that spreads autonomously across the network without
requiring user interaction. It exploits system vulnerabilities to propagate,
consuming significant bandwidth and processing resources. This could cause the
widespread slowdowns within the network which would explain Jordan’s computer
to slowdown, particularly if the computer is connected to the corporate
network.
MITM
(Man in The Middle):
A
man-in-the-middle (MITM) attack is also a credible threat, given that Jordan
works from home full-time. If Jordan connects to an unsecured or compromised
Wi-Fi network, an attacker could intercept traffic between his device and the
corporate network, potentially capturing credentials or sensitive data in
transit. This is particularly concerning given Linkchain Gaming's recent
incident involving compromised credentials.
Phishing:
Phishing is
when an attacker tricks people into revealing sensitive information or
installing malware by pretending to be a trusted source. The brief confirms
that Jordan always opens email attachments sent by colleagues and his line
manager without first verifying their legitimacy. This behaviour is precisely
what phishing attacks are engineered to exploit. By spoofing a trusted sender,
such as a colleague or manager, an attacker could deliver a malicious
attachment that Jordan would open without suspicion. His habit of downloading
attachments to verify they have downloaded fully further increases the risk of
inadvertently executing malicious files.
Brute
Force Attack:
A brute force
attack is where the attacker attempts to gain unauthorised access to accounts,
systems, or encrypted data by systematically trying every possible combination
of passwords and credentials until the correct one is found. As a new employee
who has recently completed his induction, Jordan may still be using a temporary
or default password assigned during the onboarding process. These passwords are
frequently simple and predictable, making them highly susceptible to brute
force attacks where an attacker systematically attempts common password
combinations. If Jordan has not yet been required to set a strong, unique
password, his account could be compromised with relatively little effort.
Cross-Site
Scripting (XSS):
Cross-site
scripting is a web security vulnerability that allows attackers to inject
malicious scripts into web pages viewed by other users. Jordan's role as a
junior developer makes XSS a particularly relevant threat vector. Developers
regularly interact with web-based tools such as code repositories, bug
trackers, and development frameworks, many of which involve user-generated
content that could be exploited for script injection. If a malicious actor has
injected scripts into a development tool used by Linkchain Gaming, Jordan could
unknowingly execute malicious code simply by accessing these platforms as part
of his normal workflow. Furthermore, as a junior developer who is new to the
company, Jordan may not yet have received sufficient security training to
recognise the signs of a compromised web application.
How
could this have occurred?
Insufficient
storage space or a fragmented hard drive. If the drive is nearly full, the
system cannot allocate enough virtual memory, leading to freezes and slowdowns.
These means cannot be written properly, causing programs to crash or fail to
open files. Directly linking to the issues that Jordan has been facing with his
computer.
Outdates or
corrupted drivers/software can affect performance. Old network drivers can slow
down internet speeds or cause disconnections. New applications or OS updates
may require updated drivers; without them, programs may crash or fail to open.
Suspicious
attachments in the email may include malware such as spyware, ransomware or
viruses. Malware consumes system resources, slowing down applications, and
malicious code can corrupt files or interfere with drivers causing freezes and
crashes. We are aware that Jordan has a bad habit of downloading attachments fully,
making this type of attack very likely.
Spoofed sender
addresses that look like trusted contacts. The goal is to deceive the recipient
into believing the email is legitimate, lowering suspicion and increasing the
chance they’ll open attachments or click malicious links. Linkchain Gaming faced
a credential-based breach which would make this easier for attackers go undetected
and affecting the organisations.
The recent
incident involving a disgruntled employee sharing credentials introduces an
additional threat vector that must be considered. The fact that credentials
were used to access confidential shared folders suggests that access controls
and privilege management were insufficient. It cannot be ruled out that
Jordan's system issues are connected to this broader compromise, for example,
if malware was introduced to the network during that incident and has since
propagated to Jordan's device via the corporate network.
Part B
Investigation
Successful
login achieved; asked for user credentials to verify user, and after entering
this, you can see the operating system is running in the following screenshots:



Email 1: UPS
Package (Successfully Opened)

Email 2: New
System (Successfully Opened)

Email 3:
Urgent Security Request (Successfully Opened)

Virus Total Scan - Missed Package Delivery

Virus Total Scan – New System

ZIP
File:


Virus Total Scan – Urgent Security Request

UPS Package Delivery Links

Confidential New System ZIP File:

Urgent Security Request Links

Email Investigation
and Identification of any Issues
I have studied
the emails and will now present my findings; I will discuss each email
individually and separately.
Email
1 – UPS Package
Email 1 has
some suspicious links which are being interrupted by the firewall. When we
advanced forward, we were presented with an unprotected website.
Unprotected
websites are dangerous because they can lead to date theft, malware infections,
and financial fraud by allowing hackers to intercept your data and install
harmful software on your device due to lack of encryption. HTTP is dangerous
because it lacks encryption, meaning data sent between your browser and the
server will be visible for the attackers which enables eavesdropping, password
theft, and malware injection. Unlike HTTPS, HTTP does not verify server
authenticity, making it easier for hackers to impersonate websites and steal
information. This risk is compounded by Jordan's full-time remote working
arrangement. Working from home, Jordan accesses Linkchain Gaming's systems
entirely over the internet, meaning any credentials intercepted via an
unprotected HTTP connection could immediately be used to access corporate
resources remotely. Unlike an office environment where network traffic may be
monitored centrally, Jordan's home network is unlikely to have enterprise-grade
traffic inspection, making the absence of HTTPS encryption particularly dangerous
in his case. The firewall interrupting the link suggests Linkchain Gaming has
some protective measures in place. The fact that Jordan was able to proceed
past the warning indicates that user awareness training is currently
insufficient. Jordan did not recognise the warning as a reason to stop.
Furthermore, I
have noticed a spelling mistake in the email address of the sender, “rechedule”
which are initial signs of phishing emails. They pose sever dangers, including
identity theft, significant financial fraud and data breaches. These emails
frequently impersonate trusted entities such as UPS and pushing users into
revealing their credentials, downloading malware, or even transferring funds. This
indicates that new employees such as Jordan are unlikely to be sufficiently
familiar with legitimate communications from external companies such as UPS to confidentially
identify threats. Attackers deliberately choose to impersonate widely recognised
brands like UPS precisely because they are trusted universally, a new employee
like Jordan, who may receive parcels from UPS, would have little reason to question
the email.
Scanning the
file on VirusTotal.com didn’t identify any malware due to having no attachments
in the email; nonetheless, it should be reported to the appropriate authorities
due to the lack of professionalism and grammatical mistakes in the email, they
should be deleted and possibly reported accordingly to the company’s policy.
Recommended
Action
Jordan should
not interact with the links in the email and should report it immediately to Linkchain
Gaming’s IT security team as a phishing attack. Given that Linkchain Gaming has
recently suffered a credential-based breach, the IT team should treat this
email as a potential targeted campaign against the organisation rather than an
individual attack. The sender’s IP address should be blocked at the firewall level
and the domain flagged for monitoring by the IT team. This incident should also
be escalated to the organisation security operations team and documented as
part of Linkchain Gaming’s ongoing incident response process. At an
organisation level, this email highlights the urgent need for a structured
phishing awareness training session for employees like Jordan, whose onboarding
may not have adequately covered the identification of social engineering
attempts.
Email
2 – New System
Email 2 has a
suspicious attachment containing a ZIP file with a .txt extension, usually
containing only plain text data, such as characters, numbers, and symbols. However,
they can pose significant dangers through disguised extensions, vulnerabilities
in the application used to open them, or misconfigurations.
Running
executables that are attached to emails is only advisable if they are from a
trusted source or have been scanned by a malware program, and if from an
unknown source, they should be deleted and possibly reported accordingly.
I uploaded the ZIP
file into VirusTotal.com and the results detailed that the ZIP file is found
infectious by 58 vendors out of 68; the main infection that found it was a
Malicious Trojan. Trojan is a type of malware that disguise itself as
legitimate software that tricks users into installing it on their device. Once
installed, it can perform malicious actions such as stealing data, gaining
remote access, or even installing further malware. This risk is directly amplified
by Jordan’s established behaviour as mentioned in the brief of always opening
file attachments sent by colleagues and his line manager without first
verifying weather, they are legitimate. An attacker with knowledge of Linkchain
Gaming’s previous incident could impersonate a trusted colleague or even Jordan’s
Line manager and can craft a near identical email. As a new employee still familiarising
himself with colleagues and internal processes, Jordan is particularly unlikely
to question communications that appear from within the organisation.
VirusTotal.com
pointed out that “EICAR Test File – NOT Virus” are the most common malware
reported by vendors. This could be a test run by the Linkchain ops team, used
to evaluate employee awareness and susceptibility to cyber threats by sending
safe, simulated phishing emails. These tests help identify vulnerabilities and
improve security posture by providing training to employees who interact with
the simulated emails. However, we should recall the previous incident faced by
Linkchain Gaming, where several credentials were leaked by the disgruntled
employee. This information tells us that the attacker may have gained access to
an employee’s account in order to share malware throughout the organisations
network. This would be used to get further confidential data and unannounced intellectual
property.
Recommended
Action
Jordan should
not click or download any of the attachments in the email under any
circumstances. The 58/68 Virus Total detection rate makes this one of the
clearest malwares identified in the investigation. The email attachment should
be reported immediately to Linkchain Gaming’s IT security team, who should
isolate the file in virtual environment for further investigation and to
determine whether the Trojan has already been executed on Jordan’s computer. If
there is any possibility that Jordan has interacted with the attachment
previously, a full examination should be carried by first making sure that the
organisation’s network is safe. Given Linkchain Gaming’s recent credential
breach and the Trojan’s capability to provide persistent remote access, the IT security
team should also conduct a further network-wide scan to determine whether there’s
been a spread of malware throughout the network. This incident should be
escalated to the security operations team and documented within the organisation’s
incident response framework. Regardless of whether this email represents a
genuine attack or an internal phishing simulation, it highlights a critical gap
in Jordan’s security awareness training that must be addressed as a priority.
Email
3 – Urgent Security
This email
included links that do not work, as the IP address can’t be found. However, we
should remain aware that the link is not a protected source, which can put the
system at risk.
Unprotected
websites are dangerous because they can lead to data theft, malware infections,
and financial fraud by allowing hackers to intercept your data and install
harmful software on your device due to the lack of encryption. This risk is
particularly critical for Jordan, given a full-time remote working employee. Working
from home, Jordan accesses Linkchain Gaming’s corporate systems entirely over
the internet without the protection of enterprise-grade network monitoring that
would be present in an office environment. If the link in this email were to be
accessed by Jordan, any credentials entered would be transmitted without encryption
and could be intercepted by the attacker. For an organisation that has already
suffered a credential-based breach, the interception of Jordan’s login details
via an unprotected connection would lead to a recreation of the previous incident.
Scanning the
file on VirusTotal.com didn’t identify any malware due to no attachment in the
email; nonetheless, it should be reported to the appropriate authorities due to
the lack of professionalism and grammatical mistakes in the email, they should
be discarded and possibly reported accordingly to company policies. However,
Jordan’s position as a new employee who has only recently completed his
two-week induction means he may not yet have developed baseline familiarity
with corporate communication and may find spotting red flags challenging. An
email framed as an urgent security request, as this one appears to be, is specifically
designed to create a sense of pressure, making it especially effective against new
employees like Jordan, who may feel compelled to act quickly to demonstrate competence
and compliance.
Recommended
Action
Jordan should avoid
interacting with any links or attachments contained within emails. The email
should be reported accordingly to the IT team as a suspected phishing attempt
and then securely deleted. The originating IP address should be blocked at the
firewall to prevent further contact attempts. Additionally, the incident should
be escalated to the organisation’s security operation team for analysis and
tracking as a social engineering attempt
Linkchain
Gaming Domain Issue
The two emails
sent to Jordan, claimed to be from the same organisation (Linkchain Gaming);
however, the sender domains differed. Legitimate organisations, such as
Linkchain Gaming, typically use a consistent, verified domain for outbound
communication. Variations in sender addresses can indicate spoofing,
compromised accounts, or unauthorised third‑party email infrastructure. This is
particularly relevant given the recent credential-based attack, as attackers
commonly use phishing emails to harvest login credentials to compromise accounts.
The inconsistency in sender addresses suggests a social engineering attack.
Legal/Security
Recommendation
They should
focus on ensuring the organisation meets its legal, regulatory, and contractual
obligations by implementing relevant regulations within the organisation. This could
be policy updates on how technical controls such as access restrictions, or
even a procedure change on how to report incidents in the future. This will
help protect the organisation from liability, fines and reputational damage.
They should also implement an extended security awareness training for
employees to reduce the likelihood of recurrence and strengthen the organisation’s
overall risk posture. This would be seen particularly beneficial for new employees
like Jordan, creating awareness on new cyber threats and how to act upon them. The
organisation could include audits, reviews, or schedule check-ins in order to
make sure that they are constantly ensuring that there no gaps within the
organisation network that could be exploited by the attackers. The government
website provides information on the National Cyber Security Centre, where they
provide information, templates, checklists, and advice for businesses in the UK
to help prevent cyber-attacks and protect digital infrastructure.
Summary
of Email Threat
|
Email |
Threat Type |
Key Indicator |
Virus Total |
Risk Level |
|
Email 1 – UPS Package |
Phishing / Credential Harvesting |
Typo in the email address alongside with
unprotected website links |
0/63 malicious (No attachment) |
CRITICAL |
|
Email 2 – New
System |
Trojan |
Suspicious
ZIP file with .txt extension |
58/68
Malware |
CRITICAL |
|
Email 3 – Urgent Security |
Phishing / Credential Harvesting |
Website links cannot be found |
0/63 phishing (No attachment) |
HIGH |
Part C
Asset/Device-Level
Measures:
·
Forensic
Imaging should be enforced as it would help the organisation to trace back logs
and if they need to prove what happened this can be used as supporting evidence.
Thereafter, perform a full wipe and re-image of Jordan’s laptop to eliminate
any hidden or undetected compromises, including potential zero-day threats
·
Ensure
all malware scanners used within the business are updated to the latest
versions
·
Apply
operating system updates and patches across all devices to maintain security
compliance
·
Conduct
malware scans on all company assets to identify further infections
·
Re-image
any devices found to be compromised
·
Implement
operating systems and device hardening practices
·
Disable
macros on devices and within applications where they are not required
·
Deploy
email threat scanning solutions if not already in place
Network-Level Measures:
·
Enforce
group policy rules to block executable downloads and prevent users from running
non-whitelisted applications
·
Use
Wireshark to capture and analyse packets across all network segments for
suspicious activity
·
Review firewall logs
for traffic directed to unknown or suspicious websites.
·
Restrict
network traffic to only the necessary ports, blocking unused ones such as FTP
ports 20/21
·
Updated
Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) with the
latest signatures
Server & Log Analysis:
·
Review
all server log files to identify suspicious activity
·
Cross-reference
login records with staff time and attendance data to
detect unauthorised access attempts (e.g. logins when staff are not
present)
Organisation-Level Measures:
·
Launch a
communications campaign to raise awareness about the risks of suspicious
emails, using newsletters and posters.
·
Provide
staff with cyber security awareness training, such as the NCSC’s training
modules. This should be prioritised as employees like Jordan are likely to
fall victim of such attacks.
·
Conduct
phishing simulations across the organisation to measure employee awareness and
tailor future training.
·
Create
a SharePoint site to serve as a central hub for cybersecurity resources and
guidance.
·
Audit
existing cybersecurity policies to ensure they comprehensively cover all
necessary areas.
·
Adopt
Zero Trust principles, ensuring no user or device is trusted by default, and
all access is continuously verified.
·
Offboarding
policy implementation, this would reduce the likelihood of an insider attack as
Linkchain Gaming previously faced.
Future Risk Reduction:
·
Schedule
weekly anti-virus scans across all assets as a minimum standard.
·
Consider
deploying a network behavioural analysis solution to
continuously monitor traffic and detect anomalies such as
command-and-control (C2) activity.
·
Implement
advanced IPS solutions capable of blocking malware downloads based on signature
detection.
·
Adopt
a cloud-based email security solution to filter and block phishing
attempts.
·
Introduce
a Data Loss Prevention (DLP) system to detect and quarantine unauthorised
attempts to transmit sensitive data outside the organisation.
·
Deploy
a Privileged Access Management (PAM) solution to control administrative
accounts and prevent privilege escalation. PAM enforces least-privilege
access which means even if the attacker compromises an account again, they can’t
move or escalate privileges easily.
·
Introduce
Multi-Factor Authentication (MFA), to authenticate users when entering the
company’s network. Ideal for Linkchain Gaming as it would help them
authenticate employee’s especially after the credential-based breach.
Compliance & Risk Considerations:
·
Any
data exfiltration could result in violations of GDPR, PCI DSS, and
other regulatory frameworks. As GDPR obligates organisations to report
users of any data breach within the 72 hours of the attack.
·
Breaches
may lead to severe reputational damage, financial penalties, and legal
consequences.
·
Implementing
the above measures significantly reduces the risk of compromise and strengthens
the organisation’s overall security posture.
The NCSC (National Cyber Security
Centre) provides free guidance, templates, and training resources for
UK organisations at ncsc.gov.uk. The organisation’s recent credential-based
breach highlights gaps in access control, secure configuration, and account
lifecycle management. These weaknesses directly align with the control areas highlighted
by the Cyber Essential Scheme. Implanting Cyber Essentials would provide a
structured, baseline that addresses the root cause of this incident and significantly
reduces the likelihood of similar breaches occurring in the future.
Conclusion
The evidence
gathered during this investigation strongly indicates that Jordan’s system has
been subjected to a targeted, multi-vector cyber-attack rather than a simple
internal software fault. The attack involved at three distinct threat types: A
Trojan delivered via a malicious ZIP attachment (Email 2), a phishing attempt
via a typo UPS domain leading to an unprotected website (Email 1), and a
credential harvesting attack via a fake Linkchain Gaming admin panel page
(Email 3). The Trojan identified in Email 2 is the most likely the primary
cause of the system performance issues, while Emails 1 and 3 represent
significant ongoing threats to organisational data security.
To remediate
effectively, the organisations must reinforce security at every layer; endpoints,
network infrastructure and the people and organisation. Immediate remediation
should include forensic imaging and re‑imaging
of Jordan’s device, enforcing MFA, and strengthening email gateway filtering.
Medium‑term
improvements such as PAM, tighter access controls, and mandatory phishing
awareness training are essential, and pursuing Cyber Essentials certification
would give Linkchain Gaming a structured path to rebuilding its security.
Implementing these measures promptly would significantly reduce the likelihood
of further compromise and demonstrate a clear commitment to regulatory and
security obligations.
Comments
Post a Comment