OSP - Assignment 2 Task 1
Assignment 2 Task 1
Background
Tony is a remote worker who logs into public and private internet when using his laptop. He is concerned as he is experiencing the following issues with the laptop:
Applications are running slower than they used to
Programs are regularly freezing and not responding
Occasionally, files are not open
Malware VS Application Issues
Application issues cause applications to freeze and/or exit with an application error. These errors are recorded in the event log on Windows with full details of the faulting application/module and details of the error, including an error code. Another possibility could be related to corrupted files or accidentally deleted folders. With such files being corrupt, basic computing processes could encounter errors or slowness.
A corrupted file could occur during power outages or if an issue has occurred during the saving of a file or unexpected program termination.
Malware infections, on the other hand, attempt to be covert, so they do not want anything they do to be recorded in logs. They look to get access to a computer and attempt lateral movement, seeking a computer where they can escalate privileges. This then gives them access to an account with permissions that will allow them to download other exploits and gain control of servers, workstations, and other devices. They can also attempt other compromises, such as ransomware.
Cyber Attack
Review security alerts, firewall logs, and network traffic for unusual connections, particularly at odd hours. Viewing log file evidence is a source of information that highlights system activity and can be used to see if there are any errors in log files, for example.
Determine how access was gained, such as phishing emails, exploited vulnerabilities or compromised credentials. Vulnerability scanning is a useful source of information and can be used to verify vulnerabilities in a computer system. Areas that a vulnerability scan could identify include open ports, unneeded running services, poor system configurations and missing passwords.
Analyse malware, files, and system images to find traces left by the attacker. Network traffic analysers are used to view and monitor network activity that could identify rogue connections, IP addresses and any abnormal traffic flow, for example, the security section in Windows Event Viewer.
Internal software problem
Checking to see if the latest operating system and application software updates and patches have been applied. Windows Update is a good source of this information and can inform the user of the last time the system was updated.
Uninstalling and reinstalling the software that has been affected can be a good measurement tool; if the issues are no longer there after the reinstall, then you have found the source of the problem.
Viewing Task Manager and system process information can highlight any system and hardware issues that may be linked to the software performance, for example, HDD/SSD issues, RAM problems and CPU problems.
Clean the registry, delete temporary files and remove installation files. Tools like CCleaner can be very efficient in achieving this and provide a good reporting feature to analyse results.
Check internal storage for unrecognised files and folders.
Check network configuration when accessing online services and data to gauge whether there are any unauthorised changes to network settings. ipconfig/all is a useful command for this task.
In summary, a cyber-attack is the deliberate exploitation of a computer system and could affect the whole system. An internal software problem could be on a much smaller scale, for example, one device, and the only real way to differentiate would be through an investigation.
To determine if it is a cyber-attack or an internal software problem at the root of the issue, the use of software will be required. After an investigation has been undertaken, there will normally be enough evidence to make a judgment on the root of the problem.
Types of attack
The current issue is most likely malware, such as a virus, Trojan or a worm, because these types of infections are associated with issues such as applications running slower than they should be, programs freezing and not responding, and occasionally files not opening, all of which are faced by Toni.
Virus: A virus attaches itself to legitimate executable files or documents, and self-replicates when those files are executed. It spreads through the network or shared storage, often corrupting data and consuming system resources as it replicates. This directly explains file corruption and application slowdowns.
Trojan: A Trojan horse disguises itself as legitimate or useful software – often arriving bundled with freeware, a pirated application, or a malicious email attachment. Once installed, it executes malicious code in the background, potentially opening a backdoor for remote access, stealing credentials, or downloading further malware. It does not self-replicate but relies on social engineering to achieve installation.
Worm: A worm is a self-replicating malware that spreads autonomously across networks without requiring user interaction. It exploits system vulnerabilities to propagate, consuming significant bandwidth and processing resources. This could cause the widespread slowdowns and freezes Tony is experiencing, particularly if his laptop connects to a corporate network.
How could this have occurred?
Insufficient storage space or a fragmented hard drive. If the drive is nearly full, the system cannot allocate enough virtual memory, leading to freezes and slowdowns. These means cannot be written properly, causing programs to crash or fail to open files.
Outdated or corrupted drivers/software can affect performance. Old network drivers can slow down internet speeds or cause disconnections. New applications or OS updates may require updated drivers; without them, programs may crash or fail to open.
Suspicious attachments in the emails may include malware such as spyware, ransomware or viruses. Malware consumes system resources, slowing down applications, and malicious code can corrupt files or interfere with drivers, causing freezes and crashes.
Spoofed sender addresses that look like trusted contacts. The goal is to deceive the recipient into believing the email is legitimate, lowering suspicion and increasing the chance they’ll open attachments or click links.
Part B
Cecilia has provided me with access to her computer. She has described the current situation to me as she experiences the following issues:
The computer is often unresponsive and is frustrating to use
Programs are regularly freezing and not responding
Some files are not opening
I have been asked to investigate the vulnerability that may exist in the system, and analyse the emails and identify any issues and possible resolutions.
Investigation
Successful login achieved; this is asking for the password, and after entering this, you can see the operating system running in the following screenshot:
Email 1: Successfully Opened
Email 2: Successfully Opened
Email 3: Successfully Opened
VirusTotal Scan – Check This Out.eml
VirusTotal Scan – FW: TikTok verification code is here!.eml
VirusTotal scan – Password Reset Link.eml
Budget Planner ZIP file – BudgetPlanner.xlsx
Fake Microsoft Recovery Account – Recover Your Account.html
Fake TikTok Set Up link – Unprotected Website
Email Investigation and Identification of any issues
I have studied the emails and will now present my findings; I will discuss each email individually and separately.
Email 01 – Check this Out! From Bill Briscoe
Email 01 has a suspicious attachment containing a ZIP file with an Excel file. A ZIP file can be a source of malware, and if any of the files that have been zipped up in the archive contain malware, they will be restored to their previous infected state when unzipped. The ZIP file archive contains an .xlsx file, which is password-protected. Despite being a trusted format, they can still contain malicious elements like embedded formulas, which can be used to download malware or grant attackers system access. Hackers can exploit vulnerabilities in the application itself or use techniques like template injection to run code.
Running executables that are attached to emails is only advisable if they are from a trusted source or have been scanned by a malware program, and if from an unknown source, they should be discarded and possibly reported accordingly to company policies.
I uploaded the file to the virustotal.com website, and the results detailed infection found from 28 vendors out of 63; the main infection that found was Trojan. Trojan is a type of malware that disguises itself as legitimate software to trick users into installing it on their devices. Once installed, it can perform malicious actions such as stealing data, giving remote access to hackers, or installing other malware.
VirusTotal.com pointed out that Trojan-Generic and Exploit/CVE are the most common malware reported by vendors. “Generic” part indicates that your antivirus can’t identify the specific, named threat, but it recognises the general behaviour of a Trojan. The term “CVE” (Common Vulnerability and Exposure) is a standardised identifier for a publicly known security flaw in software, hardware, or firmware.
Recommended Action
Tony should not click any links in this email. It should be reported as phishing to the IT team and deleted. The IP address should be blocked at the firewall level. This email should also be reported to the organisation's security operations team as a social engineering attempt.
Email 02 - FW: Your TikTok verification code is here!
This email included links that do not work, as the IP address can’t be found. However, we should remain aware that the link is not a protected source, which can put the system at risk.
Unprotected websites are dangerous because they can lead to data theft, malware infections, and financial fraud by allowing hackers to intercept your data and install harmful software on your device due to the lack of encryption.
Forwarded emails pose security concerns like data leakage of sensitive information, circumvention of security measures and potential data loss.
Scanning the file on VirusTotal.com didn’t identify any malware due to no attachment in the email; nonetheless, it should be reported to the appropriate authorities due to the lack of professionalism and grammatical mistakes in the email, they should be discarded and possibly reported accordingly to company policies.
Recommended Action
Tony should not click any links in this email. It should be reported as phishing to the IT team and deleted. The IP address should be blocked at the firewall level. This email should also be reported to the organisation's security operations team as a social engineering attempt.
Email 03 – Microsoft Password Recovery from “Microsoft.com”
The email has been sent from noreply@micrsoft.com, the email address is spelt wrong, which indicates that it's a phishing email.
This email has an attachment named Recover your Account.html
I uploaded the attachment on the virustotal.com website, and the results returned detailed infections as a phishing threat. 2 vendors highlighted this as a phishing email; it was identified as an HTML: PhishingMS-BFF [Phish].
Fake login pages like these are not malware that would infect a Windows computer like a virus/Trojan/worm, and may not always be picked up by malware scanners, but they are still a cybersecurity danger that is related to phishing and spear phishing and should be taken very seriously because they pose a very serious threat to an organisation.
Recommended Action
Cecilia must not open or interact with this attachment. The email should be quarantined and reported immediately. IT should investigate whether Cecilia's credentials have already been compromised by checking Active Directory login logs for unusual sign-in activity, particularly from unfamiliar geographic locations or IP addresses. Multi-factor authentication (MFA) should be enforced as an immediate control to prevent credential-based account takeover even if the password has been compromised.
Legal/Security Recommendation
The government website provides information on the National Cyber Security Centre, where they provide information, templates, checklists, and advice for businesses in the UK to help prevent cyber-attacks and protect digital infrastructure. This could prove beneficial to companies and individuals like Cecilia.
Summary of Email Threat
Threat Type | Key Indicator | VirusTotal | Risk Level | |
Email 1 – Check This Out | Trojan / Macro Malware (CVE exploit) | Password-protected ZIP; fake Office overlay; 28/63 detections | 28/63 malicious | CRITICAL |
Email 2 – TikTok Verification | Phishing / Credential Harvesting | Typo squatted domain; HTTP link to raw IP; grammar errors | 0/63 (no attachment) | HIGH |
Email 3 – Microsoft Password Reset | Phishing / Credential Harvesting (HTML: PhishingMS-BFF) | Spoofed domain (micrsoft.com); fake Microsoft login page | 2/63 phishing | CRITICAL |
Part C
Asset/Device-Level Measures:
Perform a full wipe and re-image of Tony’s laptop to eliminate any hidden or undetected compromises, including potential zero-day threats
Ensure all malware scanners used within the business are updated to the latest versions
Apply operating system updates and patches across all devices to maintain security compliance
Conduct malware scans on all company assets to identify further infections
Re-image any devices found to be compromised
Implement operating systems and device hardening practices
Disable macros on devices and within applications where they are not required
Deploy email threat scanning solutions if not already in place
Network-Level Measures:
Enforce group policy rules to block executable downloads and prevent users from running non-whitelisted applications
Use Wireshark to capture and analyse packets across all network segments for suspicious activity
Review firewall logs for traffic directed to unknown or suspicious websites.
Restrict network traffic to only the necessary ports, blocking unused ones such as FTP ports 20/21
Updated Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) with the latest signatures
Server & Log Analysis:
Review all server log files to identify suspicious activity
Cross-reference login records with staff time and attendance data to detect unauthorised access attempts (e.g. logins when staff are not present)
Organisation-Level Measures:
Launch a communications campaign to raise awareness about the risks of suspicious emails, using newsletters and posters.
Provide staff with cyber security awareness training, such as the NCSC’s training modules.
Conduct phishing simulations across the organisation to measure employee awareness and tailor future training.
Create a SharePoint site to serve as a central hub for cybersecurity resources and guidance.
Audit existing cybersecurity policies to ensure they comprehensively cover all necessary areas.
Future Risk Reduction:
Schedule weekly anti-virus scans across all assets as a minimum standard.
Consider deploying a network behavioural analysis solution to continuously monitor traffic and detect anomalies such as command-and-control (C2) activity.
Implement advanced IPS solutions capable of blocking malware downloads based on signature detection.
Adopt a cloud-based email security solution to filter and block phishing attempts.
Introduce a Data Loss Prevention (DLP) system to detect and quarantine unauthorised attempts to transmit sensitive data outside the organisation.
Deploy a Privileged Access Management (PAM) solution to control administrative accounts and prevent privilege escalation.
Compliance & Risk Considerations:
Any data exfiltration could result in violations of GDPR, PCI DSS, and other regulatory frameworks.
Breaches may lead to severe reputational damage, financial penalties, and legal consequences.
Implementing the above measures significantly reduces the risk of compromise and strengthens the organisation’s overall security posture.
The NCSC (National Cyber Security Centre) provides free guidance, templates, and training resources for UK organisations at ncsc.gov.uk, including the Cyber Essentials scheme, which provides a baseline certification against the most common cyber threats. Achieving Cyber Essentials certification would demonstrate a credible minimum-security posture to clients and partners and is a requirement for some government contracts.
Conclusion
The evidence gathered during this investigation strongly indicates that Cecilia's system has been subjected to a targeted, multi-vector cyber-attack rather than a simple internal software fault. The attack involved at least three distinct threat types: a Trojan delivered via a malicious ZIP attachment (Email 1), a phishing attempt via a typo-squatted TikTok domain leading to an unprotected website (Email 2), and a credential harvesting attack via a fake Microsoft password reset page (Email 3). The Trojan identified in Email 1 is the most likely primary cause of the system performance issues, while Emails 2 and 3 represent significant ongoing threats to organisational data security.
Effective remediation requires a layered response across devices, the network, and the organisation's people and processes. The implementation of MFA, Email Gateway security, endpoint protection, and structured cyber awareness training, underpinned by regular vulnerability scanning and incident response planning, will significantly reduce the risk of a similar attack succeeding in the future. The NCSC's Cyber Essentials framework provides a practical and cost-effective foundation upon which to build a more robust security posture.
Changes Required to do:
What to change: (Investigation)
- When you discuss the fake Microsoft HTML page, go further — explain how you identified it as fake beyond just the VirusTotal result. What did the page look like? What did the URL show? What did the file:// path in the browser bar tell you?
- When you discuss the unprotected TikTok link, explain more specifically why HTTP rather than HTTPS is dangerous in this context
- Reference what additional tools could or should be used — for example, mentioning that checking Windows Event Viewer logs or running ipconfig /all would add further evidence
- When you report VirusTotal numbers, go deeper into what they mean. You do this reasonably well for Email 1, but less so for the others
What to change: (Attack Type)
- For each attack type, explicitly connect it to the symptoms Cecilia is experiencing. For example, don't just say "a Trojan disguises itself as legitimate software" — say "the Trojan identified in Email 1 is the most probable cause of the freezing and slowdowns Cecilia reports, because Trojans execute malicious code in the background, consuming system resources"
- In Part A where you define Virus, Trojan and Worm — each definition should end with a direct link back to Tony/Cecilia's specific symptoms, not just a general explanation
- Be careful with one inconsistency — you refer to the user as both "Tony" and "Toni" at different points in the document. Small things like that undermine technical confidence in a marker's eyes
Comments
Post a Comment