Task 1 A 2

Assignment 2
Task
1
|

Contents
Malware
VS Applications Issues
Email
Investigation and Identification of any Issues
Part A
Background
Jordan is a junior developer who is new to the company. He
works from home with very occasional travel to the office required to attend
face-to-face meetings. He recently has been experiencing some issues with his
laptop:
-
Applications take a long time to load and often
freeze during operations
-
Network connectivity is intermittent when he’s working
from home
-
Some downloaded files do not open
Following these issues, there may be several factors that
may impact the user’s experience.
Malware VS Applications Issues
Application issues cause applications to freeze and/or exit with
an application error. These errors are recorded in the event log on Windows with
full details of the faulting application/module and details of the error,
including an error code. Another possibility could be related to corrupted
files or accidentally deleted folders. With such files being corrupted, basic
computing processes could encounter errors and slower processing.
A corrupted file could occur during power outages or if an
issue has occurred during the saving of a file or unexpected program termination.
Malware infections, on the other hand, attempt to be covert,
so they do not want anything they do to be recorded in logs. They look to get access
to a computer and attempt lateral movement, seeking a computer where they can escalate
privileges. This then gives them access to an account with permissions that
will allow them to download other exploits and gain control of servers, workstations,
and other devices. They can also attempt other compromises, such as ransomware.
Cyber Attack
Review security alerts, firewall logs, and network traffic
for unusual connections, particularly at odd hours. Viewing log file evidence
is a source of information that highlights system activity and can be used to
see if there are any errors in log files, for example.
Determine how access was gained, such as phishing emails,
exploited vulnerabilities or compromised credentials. Vulnerabilities scanning is
a useful source of information and can be used to verify vulnerabilities in a
computer system. Areas that a vulnerability scan could identify include open ports,
unneeded running services, poor system configurations and missing passwords.
Analyse malware, files, and system images to find traces
left by the attacker. Network traffic analysers are used to view and monitor network
activity that could identify rogue connections, IP addresses and any abnormal traffic
flow, for example, the security section in Windows Event Viewer.
Internal Software Problem
-
Checking to see if the latest operating system
and application software updates and patches have been applied. Windows Update
is a good source of information which can informs us with the latest system update.
-
Uninstalling and reinstalling the software that
has been affected can be a good measurement tool; if the issue is no longer
present after the reinstall, then you found the source of the problem
-
Viewing Task Manager and system process
information can highlight and system and hardware issues that may have been
linked to the software performance, for example, hard drive issues, RAM
problems and CPU problems.
-
Clean the registry, delete temporary files and
remove installation files. Tools like CCleaner can be very efficient in
achieving this and provide a good reporting feature to analyse results.
-
Check internal storage for unrecognised files
and folders.
-
Check network configuration when accessing
online services and data to gauge whether there are any unauthorised changes to
the network settings. A useful command being “ipconfig/all” for the task.
In summary, a cyber-attack is the deliberate exploitation of
a computer system and could affect the entire system. Whereas, an internal software
problem could be on a much smaller scale, for example, one device, and the only
real way to differentiate would be through an investigation.
To determine whether it’s a cyber-attack or an internal software
problem at the root of the issue, the use of software will be required. After
an investigation has been undertaken, there will be normally enough evidence to
make a judgment on the root of the problem.
Types of Attacks
The current issue is most likely malware, such as virus, Trojan,
or a Worm, because these types of infections are associated with issues such as
applications running slower that they should be, programs freezing and not responding,
and occasionally files are not opening, all of which are faced by Jordan.
Virus:
A virus attaches itself to legitimate executable files or
documents, and self-replicates when those files are executed. It then spreads
through the network or shared storage, often corrupting data and consuming
system resources as it replicates. This directly explains file corruption and
applications slowing down as mentioned by Jordan. It is also mentioned that
Jordan often receives emails from colleagues and his line manager which contain
attachments. He then directly downloads them onto his computer. This is a primary
risk to malware infection, while common functional issues such as file corruption
are then introduced.
Trojan:
A Trojan horse disguises itself as legitimate or useful
software, often arriving bundled with freeware and malicious attachments. Once installed,
it executes malicious code in the background, potentially opening a backdoor
for remote access, stealing credentials, or even downloading further malware.
It does not self-replicate but relies on social engineering to achieve
installation. It is important for Jordan to carefully filter through his emails
making sure that common read flags of phishing emails are been checked. These include
poor spelling/grammar, and suspicious links and attachment. It is important to
check the sender’s address to make sure that its legitimate and from a trusted
source.
Worm:
A worm is a self-replicating malware that spreads
autonomously across the network without requiring user interaction. It exploits
system vulnerabilities to propagate, consuming significant bandwidth and processing
resources. This could cause the widespread slowdowns within the network which
would explain Jordan’s computer to slowdown, particularly if the computer is
connected to the corporate network.
How could this have occurred?
Insufficient storage space or a fragmented hard drive. If the
drive is nearly full, the system cannot allocate enough virtual memory, leading
to freezes and slowdowns. These means cannot be written properly, causing
programs to crash or fail to open files.
Outdates or corrupted drivers/software can affect performance.
Old network drivers can slow down internet speeds or cause disconnections. New
applications or OS updates may require updated drivers; without them, programs may
crash or fail to open.
Suspicious attachments in the email may include malware such
as spyware, ransomware or viruses. Malware consumes system resources, slowing
down applications, and malicious code can corrupt files or interfere with drivers
causing freezes and crashes
Spoofed sender addresses that look like trusted contacts.
The goal is to deceive the recipient into believing the email is legitimate, lowering
suspicion and increasing the chance they’ll open attachments or click malicious
links.
Part B
Investigation
Successful login achieved; asked for user credentials to
verify user, and after entering this, you can see the operating system is
running in the following screenshots:



Email 1: UPS Package (Successfully Opened)

Email 2: New System (Successfully Opened)

Email 3: Urgent Security Request (Successfully Opened)

Virus Total Scan - Missed
Package Delivery

Virus Total Scan – New System

ZIP File:


Virus Total Scan – Urgent Security
Request

UPS Package Delivery Links

Confidential New System ZIP
File:


Urgent Security Request Links

Email Investigation and Identification of any Issues
I have studied the emails and will now present my findings; I
will discuss each email individually and separately.
Email 1 – UPS Package
Email 1 has some suspicious links which are being interrupted
by the firewall. When we advanced forward, we were presented with an unprotected
website.
Unprotected websites are dangerous because they can lead to
date theft, malware infections, and financial fraud by allowing hackers to
intercept your data and install harmful software on your device due to lack of
encryption. HTTP is dangerous because it lacks encryption, meaning data sent
between your browser and the server will be visible for the attackers which enables
eavesdropping, password theft, and malware injection. Unlike HTTPS, HTTP does
not verify server authenticity, making it easier for hackers to impersonate websites
and steal information.
Furthermore, I have noticed a spelling mistake in the email
address of the sender, “rechedule” which are initial signs of phishing emails.
They pose sever dangers, including identity theft, significant financial fraud
and data breaches. These emails frequently impersonate trusted entities such as
UPS and pushing users into revealing their credentials, downloading malware, or
even transferring funds.
Scanning the file on VirusTotal.com didn’t identify any
malware due to having no attachments in the email; nonetheless, it should be
reported to the appropriate authorities due to the lack of professionalism and
grammatical mistakes in the email, they should be deleted and possibly reported
accordingly to the company’s policy.
Recommended Action
Jordan should not interact with the links in the email. It should
be reported as a phishing email to the IT team at Linkchain Gaming and deleted appropriately.
The IP address should be blocked at the firewall level. These emails should
also be reported the organisation’s security operations team as a social
engineering attempt.
Email 2 – New System
Email 2 has a suspicious attachment containing a ZIP file
with a .txt extension, usually containing only plain text data, such as characters,
numbers, and symbols. However, they can pose significant dangers through disguised
extensions, vulnerabilities in the application used to open them, or
misconfigurations.
Running executables that are attached to emails is only
advisable if they are from a trusted source or have been scanned by a malware
program, and if from an unknown source, they should be deleted and possibly
reported accordingly.
I uploaded the ZIP file to VirusTotal.com, and the results
detailed that the ZIP file is found to be infectious by 58 vendors out of 68; the
main infection that was found was a Malicious Trojan. Trojan is a type of
malware that disguises itself as legitimate software and tricks users into
installing it on their devices. Once installed, it can perform malicious actions
such as stealing data, gaining remote access, or even installing further
malware.
VirusTotal.com pointed out that “EICAR Test File – NOT Virus”
are the most common malware reported by vendors. This could be a test run by
the Linkchain ops team, used to evaluate employee awareness and susceptibility
to cyber threats by sending safe, simulated phishing emails. These tests help
identify vulnerabilities and improve security posture by providing training to
employees who interact with the simulated emails.
Recommended Action
Jordan should not click or download any of the attachments
in the email and report it to the IT team so they can process it accordingly. It
is also important for him to report to the organisation’s security operations team
as a social engineering attempt.
Email 3 – Urgent Security
This email included links that do not work, as the IP
address can’t be found. However, we should remain aware that the link is not a
protected source, which can put the system at risk.
Unprotected websites are dangerous because they can lead to
data theft, malware infections, and financial fraud by allowing hackers to
intercept your data and install harmful software on your device due to the lack
of encryption.
Scanning the file on VirusTotal.com didn’t identify any
malware due to no attachment in the email; nonetheless, it should be reported
to the appropriate authorities due to the lack of professionalism and
grammatical mistakes in the email, they should be discarded and possibly
reported accordingly to company policies.
Recommended Action
Jordan should not click any links in this email. It should
be reported as phishing to the IT team and deleted. The IP address should be
blocked at the firewall level. This email should also be reported to the
organisation's security operations team as a social engineering attempt.
Legal/Security Recommendation
The government website provides information on the National
Cyber Security Centre, where they provide information, templates, checklists,
and advice for businesses in the UK to help prevent cyber-attacks and protect
digital infrastructure. This could prove beneficial to companies and
individuals like Jordan.
Summary of Email Threat
|
Email |
Threat
Type |
Key
Indicator |
Virus
Total |
Risk
Level |
|
Email
1 – UPS Package |
Phishing
/ Credential Harvesting |
Typo
in the email address alongside with unprotected website links |
0/63
malicious (No
attachment) |
CRITICAL |
|
Email 2 – New System |
Trojan |
Suspicious ZIP file with .txt extension |
58/68 Malware |
CRITICAL |
|
Email
3 – Urgent Security |
Phishing
/ Credential Harvesting |
Website
links can not be found |
0/63
phishing (No attachment) |
HIGH |
Part C
Asset/Device-Level Measures:
·
Perform
a full wipe and re-image of Jordan’s laptop to eliminate any hidden or
undetected compromises, including potential zero-day threats
·
Ensure
all malware scanners used within the business are updated to the latest
versions
·
Apply
operating system updates and patches across all devices to maintain security
compliance
·
Conduct
malware scans on all company assets to identify further infections
·
Re-image
any devices found to be compromised
·
Implement
operating systems and device hardening practices
·
Disable
macros on devices and within applications where they are not required
·
Deploy
email threat scanning solutions if not already in place
Network-Level Measures:
·
Enforce
group policy rules to block executable downloads and prevent users from running
non-whitelisted applications
·
Use
Wireshark to capture and analyse packets across all network segments for
suspicious activity
·
Review firewall logs
for traffic directed to unknown or suspicious websites.
·
Restrict
network traffic to only the necessary ports, blocking unused ones such as FTP
ports 20/21
·
Updated
Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) with the
latest signatures
Server & Log Analysis:
·
Review
all server log files to identify suspicious activity
·
Cross-reference
login records with staff time and attendance data to detect unauthorised access
attempts (e.g. logins when staff are not present)
Organisation-Level Measures:
·
Launch a
communications campaign to raise awareness about the risks of suspicious
emails, using newsletters and posters.
·
Provide
staff with cyber security awareness training, such as the NCSC’s training
modules.
·
Conduct
phishing simulations across the organisation to measure employee awareness and
tailor future training.
·
Create
a SharePoint site to serve as a central hub for cybersecurity resources and
guidance.
·
Audit
existing cybersecurity policies to ensure they comprehensively cover all
necessary areas.
Future Risk Reduction:
·
Schedule
weekly anti-virus scans across all assets as a minimum standard.
·
Consider
deploying a network behavioural analysis solution to continuously monitor traffic
and detect anomalies such as command-and-control (C2) activity.
·
Implement
advanced IPS solutions capable of blocking malware downloads based on signature
detection.
·
Adopt
a cloud-based email security solution to filter and block phishing attempts.
·
Introduce
a Data Loss Prevention (DLP) system to detect and quarantine unauthorised
attempts to transmit sensitive data outside the organisation.
·
Deploy
a Privileged Access Management (PAM) solution to control administrative
accounts and prevent privilege escalation.
Compliance & Risk Considerations:
·
Any
data exfiltration could result in violations of GDPR, PCI DSS, and
other regulatory frameworks.
·
Breaches
may lead to severe reputational damage, financial penalties, and legal
consequences.
·
Implementing
the above measures significantly reduces the risk of compromise and strengthens
the organisation’s overall security posture.
The
NCSC (National Cyber Security Centre) provides free guidance,
templates, and training resources for UK organisations at
ncsc.gov.uk, including the Cyber Essentials scheme, which provides a baseline
certification against the most common cyber threats. Achieving Cyber Essentials
certification would demonstrate a credible minimum-security posture
to clients and partners and is a requirement for some government contracts.
Conclusion
The evidence gathered during this investigation strongly
indicates that Jordan’s system has been subjected to a targeted, multi-vector
cyber-attack rather than a simple internal software fault. The attack involved
at least three distinct threat types: a Trojan delivered via a malicious ZIP
attachment (Email 2), a phishing attempt via a typo-squatted UPS domain leading
to an unprotected website (Email 1), and a credential harvesting attack via a
fake Linkchain Gaming admin panel page (Email 3). The Trojan identified in
Email 2 is the most likely primary cause of the system performance issues,
while Emails 1 and 3 represent significant ongoing threats to organisational
data security.
Effective remediation requires a layered response across
devices, the network, and the organisation's people and processes. The
implementation of MFA, Email Gateway security, endpoint protection, and
structured cyber awareness training, underpinned by regular vulnerability
scanning and incident response planning, will significantly reduce the risk of
a similar attack succeeding in the future. The NCSC's Cyber Essentials
framework provides a practical and cost-effective foundation upon which to
build a more robust security posture.
Comments
Post a Comment