Mostly Used Attack Vectors in Recent Cyber Attacks — By CyberDudeBivash

Executive summary

Attackers aren’t winning with “new magic.” They keep exploiting the same high-yield entry points—email and identity, exposed edge devices, cloud/API misconfig, and software supply chain gaps—now supercharged by AI for scale and realism. Below is a prioritized, technical breakdown of the top attack vectors, how they work, what to watch for, and exact controls that actually move risk.

The top attack vectors (ranked)

Phishing, BEC & Deep-fake Social Engineering

How it lands: Realistic emails/chats/calls (now AI-written/voiced), domain look-alikes, payment instruction changes, QR-phish.
TTPs: HTML smuggling, OAuth consent phishing, mailbox-rule abuse, MFA push fatigue, thread hijacking.
First indicators: New forwarding rules; impossible-travel logins; unusual vendor bank updates; spikes in OAuth “consent” grants.
Controls that work:
- Phishing-resistant MFA (FIDO2/WebAuthn), number-matching for push.
- DMARC/DKIM/SPF enforcement, MTA-STS/TLS-RPT; high-risk payments require out-of-band voice verification.
- OAuth app governance (disable user-consent except approved apps).
- User simulations + just-in-time banners (“External sender”, “Domain look-alike”).

Credential Attacks & Session Theft

How it lands: Password reuse → credential stuffing; OTP bots; session cookie theft via reverse-proxy phish (Evilginx-style); stale long-lived tokens.
TTPs: MFA fatigue spam; token replay; refresh-token abuse; residential proxies to mimic geolocation.
Controls:
- Passwordless (FIDO2), conditional access + device posture.
- Short-lived tokens, DPoP/token binding where supported; Secure/HttpOnly/SameSite=strict cookies; per-request step-up for sensitive actions.
- Kill-switch for mass token revocation; impossible-travel + session-age detection.

Unpatched Internet-Facing Services (VPN/ESB/WAF/Gateway/FTPs)

How it lands: RCE/dir-traversal on edge appliances, deserialization bugs, auth-bypass in portals; mass scanning + one-day exploit drops.
Indicators: Sudden config changes on appliances; new admin accounts; spikes in outbound traffic from edge boxes.
Controls:
- External Attack Surface Management (EASM) inventory + KEV/EPSS-based patch SLAs (patch edge first).
- Virtual patching (WAF) while scheduling maintenance; no direct internet admin; backup/restore tested.

Cloud & IaC Misconfiguration

How it lands: Public buckets, *:* IAM policies, over-permissive roles, exposed access keys in repos, open security groups, forgotten test tenants.
Indicators: Anonymous object access; unusual AssumeRole; spikes in List/GetObject or KMS decrypt.
Controls:
- Least-privilege by design (SCPs/permission boundaries); CloudTrail/Audit Logs immutable.
- IaC scanning (Checkov/tfsec), drift detection, guardrails (OPA/Gatekeeper).
- Secrets management (Vault/KMS), key rotation, block public by default (e.g., S3 Block Public Access).

API Abuse (IDOR/BOLA, Broken Auth, Mass Assignment)

How it lands: Mobile/web/API clients call object IDs directly; missing object-level authorization; verbose error leaks; lack of rate limits.
Indicators: High 403/404 → 200 patterns; enumeration of incremental IDs; excessive PATCH/PUT with unexplained fields.
Controls:
- AuthZ at object level (user-to-object checks in the service, not just gateway).
- Strict schemas (OpenAPI), allow-listing fields; mTLS for service-to-service; rate limiting + anomaly detection.

Software Supply Chain (Dependencies & CI/CD)

How it lands: Typosquatting packages, dependency confusion, compromised maintainer accounts, malicious post-install scripts; stolen CI tokens.
Indicators: New dependency with tiny download history; unsigned releases; CI pulling from public instead of internal mirror; unexpected “preinstall” runs.
Controls:
- SBOMs (CycloneDX/SPDX) on every build; signature verification (Sigstore/Cosign).
- Lockfiles/allow-lists, private registries/mirrors; no plaintext CI secrets; short-lived OIDC tokens.
- Policy: block builds when SBOM or signatures are missing.

RDP/VPN Exposure & Initial Access Brokers

How it lands: Open RDP, weak VPN creds; bought access from brokers.
Controls: Close RDP to internet; geo/IP-restrict, FIDO2 on VPN; PAM for admin access; continuous dark-web monitoring for creds.

Living-off-the-Land (LotL) & C2 over Encrypted Channels

How it lands: PowerShell/WMIC, PsExec, rundll32, LOLBins; C2 via HTTPS/DoH/WebSockets; exfil to cloud drives or Telegram.
Indicators: Signed tools doing unusual things; JA3/JA4 TLS fingerprints not seen before; DNS/HTTP beacons with regular jitter.
Controls:
- Constrained PowerShell + AMSI, block known LOLBins; command-line auditing.
- Egress control (DNS/HTTP categories), TLS fingerprinting baselines; UEBA for process-tree anomalies.

Mobile/Payment Fraud (esp. India)

How it lands: App overlays, screen-sharing “support,” QR/UPI scams, APK sideloads, SIM swap.
Controls: App hardening; Play Integrity/DeviceCheck; in-app warnings for screen sharing; bank callback for high-value UPI changes; user education in local languages.

AI-Related Vectors (new but rising)

Prompt injection & tool hijack in LLM apps; model/data poisoning; sensitive data leakage via AI integrations; deepfake voice for approvals.
Controls:
- Model isolation & least-privilege tools, retrieval allow-lists, output filtering.
- Red-teaming prompts, training data provenance, audit logs of model/tool actions.

Detection ideas (fast wins)

Identity: Alert on MFA push bursts, OAuth consent to new multi-tenant apps, risky sign-ins without device posture.
Email: Creation of mailbox rules; external sender replying within internal threads (thread hijack).
Cloud: Public object creation; wildcard IAM; first-time KMS decrypt for a principal; sudden spike in cross-region data egress.
Endpoints: PowerShell spawning rundll32/regsvr32; LOLBins contacting unfamiliar domains; JA3 seen <N times historically.
APIs: Excessive GET to sequential IDs; POSTs with unexpected fields; tokens used from new ASN/continent.

Incident response: 24-hour playbook (condensed)

Hour 0–1: Declare P1; isolate endpoints; freeze CI/CD; revoke suspicious tokens; block IOCs at DNS/WAF/EDR; preserve volatile evidence.
Hour 1–6: Scope users/systems; check edge appliances & last deploy; rotate secrets/keys; enable heightened EDR/WAF rules; stakeholder comms.
Hour 6–24: Patch exploited paths; remove persistence; restore from signed, SBOM-verified images; custom detections for seen TTPs; brief customers if needed.

Hardening checklist (what measurably reduces incidents)

Identity: FIDO2 for admins + finance; risky sign-in policies; session-age limits; mass-revocation button.
Email & Payments: DMARC p=reject; MTA-STS; mandatory call-backs for vendor bank changes ≥₹X.
Edge & Patch: KEV-driven patching; external surface inventory; block admin panels from internet.
Cloud: SCP guardrails; IaC scanning in PR; S3 block-public; key rotation & secret vaults.
APIs: Object-level authZ, schema enforcement, rate limits, mTLS.
Supply chain: SBOM + Sigstore; allow-listed registries; CI OIDC with least privilege.
Detection: Baseline TLS fingerprints; UEBA; mailbox-rule & OAuth app alerts.
Process: Tabletop exercises; after-action items mapped to backlog epics.

MITRE ATT&CK mapping (quick)

Initial Access: Phishing (T1566), Valid Accounts (T1078), Exploit Public-Facing App (T1190), Supply Chain (T1195).
Execution & Persistence: PowerShell (T1059.001), Scheduled Task (T1053), Office Macros (T1566.001/TA0002).
Privilege Escalation / Defense Evasion: Token Impersonation (T1134), Obfuscated/Compressed Files (T1027).
C2 & Exfil: Encrypted Channel (T1573), Exfil to Cloud Storage (T1567.002), DNS/DoH (T1071.004).

What to do this week

Turn on FIDO2 for admins and finance; enforce number-matching for the rest.
Inventory + patch: fix KEV items on internet-facing systems first.
Lock OAuth: disable user consent; register only approved apps.
Enable mailbox-rule/OAuth alerts and impossible-travel.
Require SBOM + signature in CI; block unsigned builds.
Create a one-click token kill-switch and CI/CD freeze capability.

Cyberdudebivash