Final Task 1

 

Assignment 2

Task 1

    

    

    

 


 

Contents

Part A.. 2

Background. 2

Malware VS Applications Issues. 2

Cyber Attack. 2

Internal Software Problem.. 3

Types of Attacks. 4

Virus: 4

Trojan: 4

Worm: 4

MITM (Man in The Middle): 4

Phishing: 5

Brute Force Attack: 5

Cross-Site Scripting (XSS): 5

How could this have occurred?. 6

Part B.. 7

Investigation. 7

Email Investigation and Identification of any Issues. 12

Email 1 – UPS Package. 12

Email 2 – New System.. 13

Email 3 – Urgent Security. 14

Part C.. 16

Conclusion. 18

 

 


 

Part A

Background

Jordan is a junior developer who is new to the company. He works from home with very occasional travel to the office required to attend face-to-face meetings. He recently has been experiencing some issues with his laptop:

-          Applications take a long time to load and often freeze during operations

-          Network connectivity is intermittent when he’s working from home

-          Some downloaded files do not open

Following these issues, there may be several factors that may impact the user’s experience.

Malware VS Applications Issues

Application issues cause applications to freeze and/or exit with an application error. These errors are recorded in the event log on Windows with full details of the faulting application/module and details of the error, including an error code. Another possibility could be related to corrupted files or accidentally deleted folders. With such files being corrupted, basic computing processes could encounter errors and slower processing.

A corrupted file could occur during power outages or if an issue has occurred during the saving of a file or unexpected program termination.

Malware infections, on the other hand, typically operates by aiming to avoid detection by leaving minimal traces in the system logs. Once they gain access to a device, they often attempt to move across the network, seeking systems where they can escalate privileges to gain a wider access the organisation network. With elevated access, attackers could potentially download additional exploits, compromise servers, workstations, and other assets, with room for further exploitation such as ransomware.

Cyber Attack

Review security alerts, firewall logs, and network traffic for unusual connections, particularly at odd hours. Viewing log file evidence is a source of information that highlights system activity and can be used to see if there are any errors in log files, for example.

Determine how access was gained, such as phishing emails, exploited vulnerabilities or compromised credentials. Vulnerabilities scanning is a useful source of information and can be used to verify vulnerabilities in a computer system. Areas that a vulnerability scan could identify include open ports, unneeded running services, poor system configurations and missing passwords.

Analyse malware, files, and system images to find traces left by the attacker. Network traffic analysers are used to view and monitor network activity that could identify rogue connections, IP addresses and any abnormal traffic flow, for example, the security section in Windows Event Viewer.

Internal Software Problem

-          Checking to see if the latest operating system and application software updates and patches have been applied. Windows Update is a good source of information which can informs us with the latest system update.

-          Uninstalling and reinstalling the software that has been affected can be a good measurement tool; if the issue is no longer present after the reinstall, then you found the source of the problem

-          Viewing Task Manager and system process information can highlight and system and hardware issues that may have been linked to the software performance, for example, hard drive issues, RAM problems and CPU problems.

-          Clean the registry, delete temporary files and remove installation files. Tools like CCleaner can be very efficient in achieving this and provide a good reporting feature to analyse results.

-          Check internal storage for unrecognised files and folders.

-          Check network configuration when accessing online services and data to gauge whether there are any unauthorised changes to the network settings. A useful command being “ipconfig/all” for the task.

In summary, a cyber-attack is the deliberate exploitation of a computer system and could affect the entire system. Whereas, an internal software problem could be on a much smaller scale, for example, one device, and the only real way to differentiate would be through an investigation.

Network traffic analysis using a tool such as Wireshark would capture packet data across all network segments. In the context of Jordan's intermittent connectivity, a network analyst would look specifically for unusual outbound connections, particularly to unfamiliar IP addresses or at irregular hours, which could indicate command-and-control (C2) communication from malware installed on the device. This would distinguish a cyber-attack from a simple misconfiguration of Jordan's home router.

To determine whether it’s a cyber-attack or an internal software problem at the root of the issue, the use of software will be required. After an investigation has been undertaken, there will be normally enough evidence to make a judgment on the root of the problem.

 


 

Types of Attacks

The current issue is most likely malware, such as virus, Trojan, or a Worm, because these types of infections are associated with issues such as applications running slower that they should be, programs freezing and not responding, and occasionally files are not opening, all of which are faced by Jordan. However, additional attack vectors such as MITM, phishing, and XSS are other plausible attack vectors that could put Linkchain Gaming under threat.

Virus:

A virus attaches itself to legitimate executable files or documents, and self-replicates when those files are executed. It then spreads through the network or shared storage, often corrupting data and consuming system resources as it replicates. This directly explains file corruption and applications slowing down as mentioned by Jordan. It is also mentioned that Jordan often receives emails from colleagues and his line manager which contain attachments. He then directly downloads them onto his computer. This is a primary risk to malware infection, while common functional issues such as file corruption are then introduced.

Trojan:

A Trojan horse disguises itself as legitimate or useful software, often arriving bundled with freeware and malicious attachments. Once installed, it executes malicious code in the background, potentially opening a backdoor for remote access, stealing credentials, or even downloading further malware. It does not self-replicate but relies on social engineering to achieve installation. It is important for Jordan to carefully filter through his emails making sure that common read flags of phishing emails are been checked. These include poor spelling/grammar, and suspicious links and attachment. It is important to check the sender’s address to make sure that its legitimate and from a trusted source.

Worm:

A worm is a self-replicating malware that spreads autonomously across the network without requiring user interaction. It exploits system vulnerabilities to propagate, consuming significant bandwidth and processing resources. This could cause the widespread slowdowns within the network which would explain Jordan’s computer to slowdown, particularly if the computer is connected to the corporate network.

MITM (Man in The Middle):

A man-in-the-middle (MITM) attack is also a credible threat, given that Jordan works from home full-time. If Jordan connects to an unsecured or compromised Wi-Fi network, an attacker could intercept traffic between his device and the corporate network, potentially capturing credentials or sensitive data in transit. This is particularly concerning given Linkchain Gaming's recent incident involving compromised credentials.

Phishing:

Phishing is when an attacker tricks people into revealing sensitive information or installing malware by pretending to be a trusted source. The brief confirms that Jordan always opens email attachments sent by colleagues and his line manager without first verifying their legitimacy. This behaviour is precisely what phishing attacks are engineered to exploit. By spoofing a trusted sender, such as a colleague or manager, an attacker could deliver a malicious attachment that Jordan would open without suspicion. His habit of downloading attachments to verify they have downloaded fully further increases the risk of inadvertently executing malicious files.

Brute Force Attack:

A brute force attack is where the attacker attempts to gain unauthorised access to accounts, systems, or encrypted data by systematically trying every possible combination of passwords and credentials until the correct one is found. As a new employee who has recently completed his induction, Jordan may still be using a temporary or default password assigned during the onboarding process. These passwords are frequently simple and predictable, making them highly susceptible to brute force attacks where an attacker systematically attempts common password combinations. If Jordan has not yet been required to set a strong, unique password, his account could be compromised with relatively little effort.

Cross-Site Scripting (XSS):

Cross-site scripting is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Jordan's role as a junior developer makes XSS a particularly relevant threat vector. Developers regularly interact with web-based tools such as code repositories, bug trackers, and development frameworks, many of which involve user-generated content that could be exploited for script injection. If a malicious actor has injected scripts into a development tool used by Linkchain Gaming, Jordan could unknowingly execute malicious code simply by accessing these platforms as part of his normal workflow. Furthermore, as a junior developer who is new to the company, Jordan may not yet have received sufficient security training to recognise the signs of a compromised web application.

 


 

How could this have occurred?

Insufficient storage space or a fragmented hard drive. If the drive is nearly full, the system cannot allocate enough virtual memory, leading to freezes and slowdowns. These means cannot be written properly, causing programs to crash or fail to open files. Directly linking to the issues that Jordan has been facing with his computer.

Outdates or corrupted drivers/software can affect performance. Old network drivers can slow down internet speeds or cause disconnections. New applications or OS updates may require updated drivers; without them, programs may crash or fail to open.

Suspicious attachments in the email may include malware such as spyware, ransomware or viruses. Malware consumes system resources, slowing down applications, and malicious code can corrupt files or interfere with drivers causing freezes and crashes. We are aware that Jordan has a bad habit of downloading attachments fully, making this type of attack very likely.

Spoofed sender addresses that look like trusted contacts. The goal is to deceive the recipient into believing the email is legitimate, lowering suspicion and increasing the chance they’ll open attachments or click malicious links. Linkchain Gaming faced a credential-based breach which would make this easier for attackers go undetected and affecting the organisations.

The recent incident involving a disgruntled employee sharing credentials introduces an additional threat vector that must be considered. The fact that credentials were used to access confidential shared folders suggests that access controls and privilege management were insufficient. It cannot be ruled out that Jordan's system issues are connected to this broader compromise, for example, if malware was introduced to the network during that incident and has since propagated to Jordan's device via the corporate network.

 


 

Part B

Investigation

Successful login achieved; asked for user credentials to verify user, and after entering this, you can see the operating system is running in the following screenshots:

Email 1: UPS Package (Successfully Opened)

Email 2: New System (Successfully Opened)

Email 3: Urgent Security Request (Successfully Opened)

 

Virus Total Scan - Missed Package Delivery

Virus Total Scan – New System

ZIP File:

Virus Total Scan – Urgent Security Request

UPS Package Delivery Links

 

 

Confidential New System ZIP File:

 

Urgent Security Request Links

 

 

 

Email Investigation and Identification of any Issues

I have studied the emails and will now present my findings; I will discuss each email individually and separately.

Email 1 – UPS Package

Email 1 has some suspicious links which are being interrupted by the firewall. When we advanced forward, we were presented with an unprotected website.

Unprotected websites are dangerous because they can lead to date theft, malware infections, and financial fraud by allowing hackers to intercept your data and install harmful software on your device due to lack of encryption. HTTP is dangerous because it lacks encryption, meaning data sent between your browser and the server will be visible for the attackers which enables eavesdropping, password theft, and malware injection. Unlike HTTPS, HTTP does not verify server authenticity, making it easier for hackers to impersonate websites and steal information. This risk is compounded by Jordan's full-time remote working arrangement. Working from home, Jordan accesses Linkchain Gaming's systems entirely over the internet, meaning any credentials intercepted via an unprotected HTTP connection could immediately be used to access corporate resources remotely. Unlike an office environment where network traffic may be monitored centrally, Jordan's home network is unlikely to have enterprise-grade traffic inspection, making the absence of HTTPS encryption particularly dangerous in his case. The firewall interrupting the link suggests Linkchain Gaming has some protective measures in place. The fact that Jordan was able to proceed past the warning indicates that user awareness training is currently insufficient. Jordan did not recognise the warning as a reason to stop.

Furthermore, I have noticed a spelling mistake in the email address of the sender, “rechedule” which are initial signs of phishing emails. They pose sever dangers, including identity theft, significant financial fraud and data breaches. These emails frequently impersonate trusted entities such as UPS and pushing users into revealing their credentials, downloading malware, or even transferring funds. This indicates that new employees such as Jordan are unlikely to be sufficiently familiar with legitimate communications from external companies such as UPS to confidentially identify threats. Attackers deliberately choose to impersonate widely recognised brands like UPS precisely because they are trusted universally, a new employee like Jordan, who may receive parcels from UPS, would have little reason to question the email.

Scanning the file on VirusTotal.com didn’t identify any malware due to having no attachments in the email; nonetheless, it should be reported to the appropriate authorities due to the lack of professionalism and grammatical mistakes in the email, they should be deleted and possibly reported accordingly to the company’s policy.

 

Recommended Action

Jordan should not interact with the links in the email and should report it immediately to Linkchain Gaming’s IT security team as a phishing attack. Given that Linkchain Gaming has recently suffered a credential-based breach, the IT team should treat this email as a potential targeted campaign against the organisation rather than an individual attack. The sender’s IP address should be blocked at the firewall level and the domain flagged for monitoring by the IT team. This incident should also be escalated to the organisation security operations team and documented as part of Linkchain Gaming’s ongoing incident response process. At an organisation level, this email highlights the urgent need for a structured phishing awareness training session for employees like Jordan, whose onboarding may not have adequately covered the identification of social engineering attempts.

Email 2 – New System

Email 2 has a suspicious attachment containing a ZIP file with a .txt extension, usually containing only plain text data, such as characters, numbers, and symbols. However, they can pose significant dangers through disguised extensions, vulnerabilities in the application used to open them, or misconfigurations.

Running executables that are attached to emails is only advisable if they are from a trusted source or have been scanned by a malware program, and if from an unknown source, they should be deleted and possibly reported accordingly.

I uploaded the ZIP file into VirusTotal.com and the results detailed that the ZIP file is found infectious by 58 vendors out of 68; the main infection that found it was a Malicious Trojan. Trojan is a type of malware that disguise itself as legitimate software that tricks users into installing it on their device. Once installed, it can perform malicious actions such as stealing data, gaining remote access, or even installing further malware. This risk is directly amplified by Jordan’s established behaviour as mentioned in the brief of always opening file attachments sent by colleagues and his line manager without first verifying weather, they are legitimate. An attacker with knowledge of Linkchain Gaming’s previous incident could impersonate a trusted colleague or even Jordan’s Line manager and can craft a near identical email. As a new employee still familiarising himself with colleagues and internal processes, Jordan is particularly unlikely to question communications that appear from within the organisation.

VirusTotal.com pointed out that “EICAR Test File – NOT Virus” are the most common malware reported by vendors. This could be a test run by the Linkchain ops team, used to evaluate employee awareness and susceptibility to cyber threats by sending safe, simulated phishing emails. These tests help identify vulnerabilities and improve security posture by providing training to employees who interact with the simulated emails. However, we should recall the previous incident faced by Linkchain Gaming, where several credentials were leaked by the disgruntled employee. This information tells us that the attacker may have gained access to an employee’s account in order to share malware throughout the organisations network. This would be used to get further confidential data and unannounced intellectual property.

Recommended Action  

Jordan should not click or download any of the attachments in the email under any circumstances. The 58/68 Virus Total detection rate makes this one of the clearest malwares identified in the investigation. The email attachment should be reported immediately to Linkchain Gaming’s IT security team, who should isolate the file in virtual environment for further investigation and to determine whether the Trojan has already been executed on Jordan’s computer. If there is any possibility that Jordan has interacted with the attachment previously, a full examination should be carried by first making sure that the organisation’s network is safe. Given Linkchain Gaming’s recent credential breach and the Trojan’s capability to provide persistent remote access, the IT security team should also conduct a further network-wide scan to determine whether there’s been a spread of malware throughout the network. This incident should be escalated to the security operations team and documented within the organisation’s incident response framework. Regardless of whether this email represents a genuine attack or an internal phishing simulation, it highlights a critical gap in Jordan’s security awareness training that must be addressed as a priority.

Email 3 – Urgent Security

This email included links that do not work, as the IP address can’t be found. However, we should remain aware that the link is not a protected source, which can put the system at risk.

Unprotected websites are dangerous because they can lead to data theft, malware infections, and financial fraud by allowing hackers to intercept your data and install harmful software on your device due to the lack of encryption. This risk is particularly critical for Jordan, given a full-time remote working employee. Working from home, Jordan accesses Linkchain Gaming’s corporate systems entirely over the internet without the protection of enterprise-grade network monitoring that would be present in an office environment. If the link in this email were to be accessed by Jordan, any credentials entered would be transmitted without encryption and could be intercepted by the attacker. For an organisation that has already suffered a credential-based breach, the interception of Jordan’s login details via an unprotected connection would lead to a recreation of the previous incident.

Scanning the file on VirusTotal.com didn’t identify any malware due to no attachment in the email; nonetheless, it should be reported to the appropriate authorities due to the lack of professionalism and grammatical mistakes in the email, they should be discarded and possibly reported accordingly to company policies. However, Jordan’s position as a new employee who has only recently completed his two-week induction means he may not yet have developed baseline familiarity with corporate communication and may find spotting red flags challenging. An email framed as an urgent security request, as this one appears to be, is specifically designed to create a sense of pressure, making it especially effective against new employees like Jordan, who may feel compelled to act quickly to demonstrate competence and compliance.

Recommended Action

Jordan should avoid interacting with any links or attachments contained within emails. The email should be reported accordingly to the IT team as a suspected phishing attempt and then securely deleted. The originating IP address should be blocked at the firewall to prevent further contact attempts. Additionally, the incident should be escalated to the organisation’s security operation team for analysis and tracking as a social engineering attempt 

Linkchain Gaming Domain Issue

The two emails sent to Jordan, claimed to be from the same organisation (Linkchain Gaming); however, the sender domains differed. Legitimate organisations, such as Linkchain Gaming, typically use a consistent, verified domain for outbound communication. Variations in sender addresses can indicate spoofing, compromised accounts, or unauthorised thirdparty email infrastructure. This is particularly relevant given the recent credential-based attack, as attackers commonly use phishing emails to harvest login credentials to compromise accounts. The inconsistency in sender addresses suggests a social engineering attack.

Legal/Security Recommendation

They should focus on ensuring the organisation meets its legal, regulatory, and contractual obligations by implementing relevant regulations within the organisation. This could be policy updates on how technical controls such as access restrictions, or even a procedure change on how to report incidents in the future. This will help protect the organisation from liability, fines and reputational damage. They should also implement an extended security awareness training for employees to reduce the likelihood of recurrence and strengthen the organisation’s overall risk posture. This would be seen particularly beneficial for new employees like Jordan, creating awareness on new cyber threats and how to act upon them. The organisation could include audits, reviews, or schedule check-ins in order to make sure that they are constantly ensuring that there no gaps within the organisation network that could be exploited by the attackers. The government website provides information on the National Cyber Security Centre, where they provide information, templates, checklists, and advice for businesses in the UK to help prevent cyber-attacks and protect digital infrastructure.

 

 

Summary of Email Threat

Email 

Threat Type 

Key Indicator 

Virus Total 

Risk Level 

Email 1 – UPS Package 

Phishing / Credential Harvesting 

Typo in the email address alongside with unprotected website links 

0/63 malicious 

(No attachment)

CRITICAL 

Email 2 – New System 

Trojan 

Suspicious ZIP file with .txt extension  

58/68 Malware

CRITICAL

Email 3 – Urgent Security

Phishing / Credential Harvesting

Website links cannot be found

0/63 phishing 

(No attachment)

HIGH

Part C

Asset/Device-Level Measures:

·         Forensic Imaging should be enforced as it would help the organisation to trace back logs and if they need to prove what happened this can be used as supporting evidence. Thereafter, perform a full wipe and re-image of Jordan’s laptop to eliminate any hidden or undetected compromises, including potential zero-day threats

·         Ensure all malware scanners used within the business are updated to the latest versions

·         Apply operating system updates and patches across all devices to maintain security compliance

·         Conduct malware scans on all company assets to identify further infections

·         Re-image any devices found to be compromised

·         Implement operating systems and device hardening practices

·         Disable macros on devices and within applications where they are not required

·         Deploy email threat scanning solutions if not already in place

Network-Level Measures: 

·         Enforce group policy rules to block executable downloads and prevent users from running non-whitelisted applications  

·         Use Wireshark to capture and analyse packets across all network segments for suspicious activity 

·         Review firewall logs for traffic directed to unknown or suspicious websites. 

·         Restrict network traffic to only the necessary ports, blocking unused ones such as FTP ports 20/21 

·         Updated Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) with the latest signatures 

Server & Log Analysis: 

·         Review all server log files to identify suspicious activity 

·         Cross-reference login records with staff time and attendance data to detect unauthorised access attempts (e.g. logins when staff are not present) 

Organisation-Level Measures: 

·         Launch a communications campaign to raise awareness about the risks of suspicious emails, using newsletters and posters. 

·         Provide staff with cyber security awareness training, such as the NCSC’s training modules. This should be prioritised as employees like Jordan are likely to fall victim of such attacks.

·         Conduct phishing simulations across the organisation to measure employee awareness and tailor future training. 

·         Create a SharePoint site to serve as a central hub for cybersecurity resources and guidance. 

·         Audit existing cybersecurity policies to ensure they comprehensively cover all necessary areas. 

·         Adopt Zero Trust principles, ensuring no user or device is trusted by default, and all access is continuously verified.

·         Offboarding policy implementation, this would reduce the likelihood of an insider attack as Linkchain Gaming previously faced.

Future Risk Reduction: 

·         Schedule weekly anti-virus scans across all assets as a minimum standard. 

·         Consider deploying a network behavioural analysis solution to continuously monitor traffic and detect anomalies such as command-and-control (C2) activity. 

·         Implement advanced IPS solutions capable of blocking malware downloads based on signature detection. 

·         Adopt a cloud-based email security solution to filter and block phishing attempts. 

·         Introduce a Data Loss Prevention (DLP) system to detect and quarantine unauthorised attempts to transmit sensitive data outside the organisation. 

·         Deploy a Privileged Access Management (PAM) solution to control administrative accounts and prevent privilege escalation. PAM enforces least-privilege access which means even if the attacker compromises an account again, they can’t move or escalate privileges easily.

·         Introduce Multi-Factor Authentication (MFA), to authenticate users when entering the company’s network. Ideal for Linkchain Gaming as it would help them authenticate employee’s especially after the credential-based breach.

 

 

 

Compliance & Risk Considerations: 

·         Any data exfiltration could result in violations of GDPR, PCI DSS, and other regulatory frameworks. As GDPR obligates organisations to report users of any data breach within the 72 hours of the attack.

·         Breaches may lead to severe reputational damage, financial penalties, and legal consequences. 

·         Implementing the above measures significantly reduces the risk of compromise and strengthens the organisation’s overall security posture. 

 

The NCSC (National Cyber Security Centre) provides free guidance, templates, and training resources for UK organisations at ncsc.gov.uk. The organisation’s recent credential-based breach highlights gaps in access control, secure configuration, and account lifecycle management. These weaknesses directly align with the control areas highlighted by the Cyber Essential Scheme. Implanting Cyber Essentials would provide a structured, baseline that addresses the root cause of this incident and significantly reduces the likelihood of similar breaches occurring in the future.

Conclusion

The evidence gathered during this investigation strongly indicates that Jordan’s system has been subjected to a targeted, multi-vector cyber-attack rather than a simple internal software fault. The attack involved at three distinct threat types: A Trojan delivered via a malicious ZIP attachment (Email 2), a phishing attempt via a typo UPS domain leading to an unprotected website (Email 1), and a credential harvesting attack via a fake Linkchain Gaming admin panel page (Email 3). The Trojan identified in Email 2 is the most likely the primary cause of the system performance issues, while Emails 1 and 3 represent significant ongoing threats to organisational data security. 

To remediate effectively, the organisations must reinforce security at every layer; endpoints, network infrastructure and the people and organisation. Immediate remediation should include forensic imaging and reimaging of Jordan’s device, enforcing MFA, and strengthening email gateway filtering. Mediumterm improvements such as PAM, tighter access controls, and mandatory phishing awareness training are essential, and pursuing Cyber Essentials certification would give Linkchain Gaming a structured path to rebuilding its security. Implementing these measures promptly would significantly reduce the likelihood of further compromise and demonstrate a clear commitment to regulatory and security obligations.

 

Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2