Task 1 A 2

 

Assignment 2

Task 1

    

    

    

 


 

Contents

Part A. 2

Background. 2

Malware VS Applications Issues. 2

Cyber Attack. 2

Internal Software Problem.. 3

Types of Attacks. 4

Virus: 4

Trojan: 4

Worm: 4

How could this have occurred?. 5

Part B. 6

Investigation. 6

Email Investigation and Identification of any Issues. 11

Email 1 – UPS Package. 11

Email 2 – New System.. 12

Email 3 – Urgent Security. 13

Part C.. 14

Conclusion. 15

 

 


 

Part A

Background

Jordan is a junior developer who is new to the company. He works from home with very occasional travel to the office required to attend face-to-face meetings. He recently has been experiencing some issues with his laptop:

-          Applications take a long time to load and often freeze during operations

-          Network connectivity is intermittent when he’s working from home

-          Some downloaded files do not open

Following these issues, there may be several factors that may impact the user’s experience.

Malware VS Applications Issues

Application issues cause applications to freeze and/or exit with an application error. These errors are recorded in the event log on Windows with full details of the faulting application/module and details of the error, including an error code. Another possibility could be related to corrupted files or accidentally deleted folders. With such files being corrupted, basic computing processes could encounter errors and slower processing.

A corrupted file could occur during power outages or if an issue has occurred during the saving of a file or unexpected program termination.

Malware infections, on the other hand, attempt to be covert, so they do not want anything they do to be recorded in logs. They look to get access to a computer and attempt lateral movement, seeking a computer where they can escalate privileges. This then gives them access to an account with permissions that will allow them to download other exploits and gain control of servers, workstations, and other devices. They can also attempt other compromises, such as ransomware.

Cyber Attack

Review security alerts, firewall logs, and network traffic for unusual connections, particularly at odd hours. Viewing log file evidence is a source of information that highlights system activity and can be used to see if there are any errors in log files, for example.

Determine how access was gained, such as phishing emails, exploited vulnerabilities or compromised credentials. Vulnerabilities scanning is a useful source of information and can be used to verify vulnerabilities in a computer system. Areas that a vulnerability scan could identify include open ports, unneeded running services, poor system configurations and missing passwords.

Analyse malware, files, and system images to find traces left by the attacker. Network traffic analysers are used to view and monitor network activity that could identify rogue connections, IP addresses and any abnormal traffic flow, for example, the security section in Windows Event Viewer.

Internal Software Problem

-          Checking to see if the latest operating system and application software updates and patches have been applied. Windows Update is a good source of information which can informs us with the latest system update.

-          Uninstalling and reinstalling the software that has been affected can be a good measurement tool; if the issue is no longer present after the reinstall, then you found the source of the problem

-          Viewing Task Manager and system process information can highlight and system and hardware issues that may have been linked to the software performance, for example, hard drive issues, RAM problems and CPU problems.

-          Clean the registry, delete temporary files and remove installation files. Tools like CCleaner can be very efficient in achieving this and provide a good reporting feature to analyse results.

-          Check internal storage for unrecognised files and folders.

-          Check network configuration when accessing online services and data to gauge whether there are any unauthorised changes to the network settings. A useful command being “ipconfig/all” for the task.

In summary, a cyber-attack is the deliberate exploitation of a computer system and could affect the entire system. Whereas, an internal software problem could be on a much smaller scale, for example, one device, and the only real way to differentiate would be through an investigation.

To determine whether it’s a cyber-attack or an internal software problem at the root of the issue, the use of software will be required. After an investigation has been undertaken, there will be normally enough evidence to make a judgment on the root of the problem.

 


 

Types of Attacks

The current issue is most likely malware, such as virus, Trojan, or a Worm, because these types of infections are associated with issues such as applications running slower that they should be, programs freezing and not responding, and occasionally files are not opening, all of which are faced by Jordan.

Virus:

A virus attaches itself to legitimate executable files or documents, and self-replicates when those files are executed. It then spreads through the network or shared storage, often corrupting data and consuming system resources as it replicates. This directly explains file corruption and applications slowing down as mentioned by Jordan. It is also mentioned that Jordan often receives emails from colleagues and his line manager which contain attachments. He then directly downloads them onto his computer. This is a primary risk to malware infection, while common functional issues such as file corruption are then introduced.

Trojan:

A Trojan horse disguises itself as legitimate or useful software, often arriving bundled with freeware and malicious attachments. Once installed, it executes malicious code in the background, potentially opening a backdoor for remote access, stealing credentials, or even downloading further malware. It does not self-replicate but relies on social engineering to achieve installation. It is important for Jordan to carefully filter through his emails making sure that common read flags of phishing emails are been checked. These include poor spelling/grammar, and suspicious links and attachment. It is important to check the sender’s address to make sure that its legitimate and from a trusted source.

Worm:

A worm is a self-replicating malware that spreads autonomously across the network without requiring user interaction. It exploits system vulnerabilities to propagate, consuming significant bandwidth and processing resources. This could cause the widespread slowdowns within the network which would explain Jordan’s computer to slowdown, particularly if the computer is connected to the corporate network.

 

 


 

How could this have occurred?

Insufficient storage space or a fragmented hard drive. If the drive is nearly full, the system cannot allocate enough virtual memory, leading to freezes and slowdowns. These means cannot be written properly, causing programs to crash or fail to open files.

Outdates or corrupted drivers/software can affect performance. Old network drivers can slow down internet speeds or cause disconnections. New applications or OS updates may require updated drivers; without them, programs may crash or fail to open.

Suspicious attachments in the email may include malware such as spyware, ransomware or viruses. Malware consumes system resources, slowing down applications, and malicious code can corrupt files or interfere with drivers causing freezes and crashes

Spoofed sender addresses that look like trusted contacts. The goal is to deceive the recipient into believing the email is legitimate, lowering suspicion and increasing the chance they’ll open attachments or click malicious links.

 


 

Part B

Investigation

Successful login achieved; asked for user credentials to verify user, and after entering this, you can see the operating system is running in the following screenshots:

Email 1: UPS Package (Successfully Opened)

Email 2: New System (Successfully Opened)

Email 3: Urgent Security Request (Successfully Opened)

 

Virus Total Scan - Missed Package Delivery

Virus Total Scan – New System

ZIP File:

Virus Total Scan – Urgent Security Request

UPS Package Delivery Links

 

 

Confidential New System ZIP File:

Urgent Security Request Links

Email Investigation and Identification of any Issues

I have studied the emails and will now present my findings; I will discuss each email individually and separately.

Email 1 – UPS Package

Email 1 has some suspicious links which are being interrupted by the firewall. When we advanced forward, we were presented with an unprotected website.

Unprotected websites are dangerous because they can lead to date theft, malware infections, and financial fraud by allowing hackers to intercept your data and install harmful software on your device due to lack of encryption. HTTP is dangerous because it lacks encryption, meaning data sent between your browser and the server will be visible for the attackers which enables eavesdropping, password theft, and malware injection. Unlike HTTPS, HTTP does not verify server authenticity, making it easier for hackers to impersonate websites and steal information.

Furthermore, I have noticed a spelling mistake in the email address of the sender, “rechedule” which are initial signs of phishing emails. They pose sever dangers, including identity theft, significant financial fraud and data breaches. These emails frequently impersonate trusted entities such as UPS and pushing users into revealing their credentials, downloading malware, or even transferring funds.

Scanning the file on VirusTotal.com didn’t identify any malware due to having no attachments in the email; nonetheless, it should be reported to the appropriate authorities due to the lack of professionalism and grammatical mistakes in the email, they should be deleted and possibly reported accordingly to the company’s policy.

 

 

Recommended Action

Jordan should not interact with the links in the email. It should be reported as a phishing email to the IT team at Linkchain Gaming and deleted appropriately. The IP address should be blocked at the firewall level. These emails should also be reported the organisation’s security operations team as a social engineering attempt.

 

Email 2 – New System

Email 2 has a suspicious attachment containing a ZIP file with a .txt extension, usually containing only plain text data, such as characters, numbers, and symbols. However, they can pose significant dangers through disguised extensions, vulnerabilities in the application used to open them, or misconfigurations.

Running executables that are attached to emails is only advisable if they are from a trusted source or have been scanned by a malware program, and if from an unknown source, they should be deleted and possibly reported accordingly.

I uploaded the ZIP file to VirusTotal.com, and the results detailed that the ZIP file is found to be infectious by 58 vendors out of 68; the main infection that was found was a Malicious Trojan. Trojan is a type of malware that disguises itself as legitimate software and tricks users into installing it on their devices. Once installed, it can perform malicious actions such as stealing data, gaining remote access, or even installing further malware.

VirusTotal.com pointed out that “EICAR Test File – NOT Virus” are the most common malware reported by vendors. This could be a test run by the Linkchain ops team, used to evaluate employee awareness and susceptibility to cyber threats by sending safe, simulated phishing emails. These tests help identify vulnerabilities and improve security posture by providing training to employees who interact with the simulated emails.

Recommended Action  

Jordan should not click or download any of the attachments in the email and report it to the IT team so they can process it accordingly. It is also important for him to report to the organisation’s security operations team as a social engineering attempt.

 

 

 

Email 3 – Urgent Security

This email included links that do not work, as the IP address can’t be found. However, we should remain aware that the link is not a protected source, which can put the system at risk.

Unprotected websites are dangerous because they can lead to data theft, malware infections, and financial fraud by allowing hackers to intercept your data and install harmful software on your device due to the lack of encryption.

Scanning the file on VirusTotal.com didn’t identify any malware due to no attachment in the email; nonetheless, it should be reported to the appropriate authorities due to the lack of professionalism and grammatical mistakes in the email, they should be discarded and possibly reported accordingly to company policies.

Recommended Action

Jordan should not click any links in this email. It should be reported as phishing to the IT team and deleted. The IP address should be blocked at the firewall level. This email should also be reported to the organisation's security operations team as a social engineering attempt.  

Legal/Security Recommendation

The government website provides information on the National Cyber Security Centre, where they provide information, templates, checklists, and advice for businesses in the UK to help prevent cyber-attacks and protect digital infrastructure. This could prove beneficial to companies and individuals like Jordan.

Summary of Email Threat

Email 

Threat Type 

Key Indicator 

Virus Total 

Risk Level 

Email 1 – UPS Package 

Phishing / Credential Harvesting 

Typo in the email address alongside with unprotected website links 

0/63 malicious 

(No attachment)

CRITICAL 

Email 2 – New System 

Trojan 

Suspicious ZIP file with .txt extension  

58/68 Malware

CRITICAL

Email 3 – Urgent Security

Phishing / Credential Harvesting

Website links can not be found

0/63 phishing 

(No attachment)

HIGH

Part C

Asset/Device-Level Measures:

·         Perform a full wipe and re-image of Jordan’s laptop to eliminate any hidden or undetected compromises, including potential zero-day threats

·         Ensure all malware scanners used within the business are updated to the latest versions

·         Apply operating system updates and patches across all devices to maintain security compliance

·         Conduct malware scans on all company assets to identify further infections

·         Re-image any devices found to be compromised

·         Implement operating systems and device hardening practices

·         Disable macros on devices and within applications where they are not required

·         Deploy email threat scanning solutions if not already in place

Network-Level Measures: 

·         Enforce group policy rules to block executable downloads and prevent users from running non-whitelisted applications  

·         Use Wireshark to capture and analyse packets across all network segments for suspicious activity 

·         Review firewall logs for traffic directed to unknown or suspicious websites. 

·         Restrict network traffic to only the necessary ports, blocking unused ones such as FTP ports 20/21 

·         Updated Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) with the latest signatures 

Server & Log Analysis: 

·         Review all server log files to identify suspicious activity 

·         Cross-reference login records with staff time and attendance data to detect unauthorised access attempts (e.g. logins when staff are not present) 

Organisation-Level Measures: 

·         Launch a communications campaign to raise awareness about the risks of suspicious emails, using newsletters and posters. 

·         Provide staff with cyber security awareness training, such as the NCSC’s training modules. 

·         Conduct phishing simulations across the organisation to measure employee awareness and tailor future training. 

·         Create a SharePoint site to serve as a central hub for cybersecurity resources and guidance. 

·         Audit existing cybersecurity policies to ensure they comprehensively cover all necessary areas. 

Future Risk Reduction: 

·         Schedule weekly anti-virus scans across all assets as a minimum standard. 

·         Consider deploying a network behavioural analysis solution to continuously monitor traffic and detect anomalies such as command-and-control (C2) activity. 

·         Implement advanced IPS solutions capable of blocking malware downloads based on signature detection. 

·         Adopt a cloud-based email security solution to filter and block phishing attempts. 

·         Introduce a Data Loss Prevention (DLP) system to detect and quarantine unauthorised attempts to transmit sensitive data outside the organisation. 

·         Deploy a Privileged Access Management (PAM) solution to control administrative accounts and prevent privilege escalation. 

Compliance & Risk Considerations: 

·         Any data exfiltration could result in violations of GDPR, PCI DSS, and other regulatory frameworks. 

·         Breaches may lead to severe reputational damage, financial penalties, and legal consequences. 

·         Implementing the above measures significantly reduces the risk of compromise and strengthens the organisation’s overall security posture. 

 

The NCSC (National Cyber Security Centre) provides free guidance, templates, and training resources for UK organisations at ncsc.gov.uk, including the Cyber Essentials scheme, which provides a baseline certification against the most common cyber threats. Achieving Cyber Essentials certification would demonstrate a credible minimum-security posture to clients and partners and is a requirement for some government contracts. 

 

Conclusion

The evidence gathered during this investigation strongly indicates that Jordan’s system has been subjected to a targeted, multi-vector cyber-attack rather than a simple internal software fault. The attack involved at least three distinct threat types: a Trojan delivered via a malicious ZIP attachment (Email 2), a phishing attempt via a typo-squatted UPS domain leading to an unprotected website (Email 1), and a credential harvesting attack via a fake Linkchain Gaming admin panel page (Email 3). The Trojan identified in Email 2 is the most likely primary cause of the system performance issues, while Emails 1 and 3 represent significant ongoing threats to organisational data security. 

Effective remediation requires a layered response across devices, the network, and the organisation's people and processes. The implementation of MFA, Email Gateway security, endpoint protection, and structured cyber awareness training, underpinned by regular vulnerability scanning and incident response planning, will significantly reduce the risk of a similar attack succeeding in the future. The NCSC's Cyber Essentials framework provides a practical and cost-effective foundation upon which to build a more robust security posture.

 

Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2