8 Curious Cyber Attack Symptoms, What They Mean, and What to Do

The longer it takes to identify and contain a cyber breach, the more costly the breach becomes.

But don’t just take that from us, it comes to us from industry bigwigs IBM. In their 2021 “Cost of a Data Breach” study, they found that it takes an average of 287 days to identify and contain a cyber breach.

This raises an urgent question: would you know the tell-tale signs of a potential cyber attack?

If you’re unsure, stick around. We’re going to investigate 8 common cyber attack symptoms, what each might mean, and what you can do to minimise or mitigate each threat.

To avoid repeating ourselves throughout this article, if you feel that you’ve fallen victim to any cyber attack, get in touch with an expert cyber security provider. If you’ve suffered a breach or loss of personally identifiable data, you must inform the ICO within 72 hours, even if you don’t have all the details yet. Follow their instructions here.

Unexpected Changes to Files or Data

What it Looks Like

This may take the form of files which have been moved, altered, deleted, or encrypted; data held in cloud tools (like your CRM) or other such databases that’s suddenly missing or scrambled; or backups that are mysteriously getting smaller for no good reason.

What it Might Mean

Direct changes to files can be an indicator of malware, with ransomware being a common culprit. In order to ramp up for a ransomware attack, hackers might also reduce or wipe out backups, so the victim has no way of recovering without paying the ransom.

If you find that data has been altered within a cloud software tool, this may indicate that either the tool itself has suffered a breach, or that a criminal has gained access to one of your logins and is having a field day with your data.

How to Deal With it

Start by running intensive antivirus scans and by changing all passwords, especially those directly relating to the files or software concerned. Instigate multi-factor authentication functionality on any related logins if available. Interrogate usage logs and network traffic to see if you can uncover what exactly has happened.

If you see changes to data within cloud tools, similarly interrogate any usage logs and raise a support ticket with the software provider to discuss the issue with them. In the case of unexpected changes to files stored locally, you may want to consider some kind of internal encryption system to keep your data safe in future.

Unusual Traffic Patterns or Volumes

What it Looks Like

You may notice traffic coming into your network from a single, unknown IP address or location. On the other hand, large amounts of data could be leaving your network for some mysterious, yet specific, destination. Alternatively, traffic could be flowing around inside your network in unusual “lateral” ways.

In order to hide their tracks, hackers sometimes use under-supervised networked devices like IoT devices or printers to gain a foothold into a network, so pay attention to any odd traffic surrounding endpoints like these.

What it Might Mean

Malware like ransomware and persistent threats often move laterally across networks to try and infect as many endpoint devices as possible. Hackers also use lateral movement to uncover vital data and assets to steal or ransom.

Unusual incoming traffic may indicate that a piece of malware is making its merry way across your network, or that a hacker has gained access to your network and is poking around gathering cyber-intel. Neither is good news.

Unusual outgoing traffic can indicate data theft, especially if traffic appears to flow from data repositories like servers and PCs to a specific physical location.

How to Deal With it

If you have the means to block any suspicious IP addresses connecting to your network, block them immediately. Disconnect any affected machines from the internet and run antimalware scans. Seek IT security help right away.

Sudden Sluggishness, Crashes, or Other Odd Behaviour

What it Might Mean

Sluggishness, crashes, and shutdowns could indicate malware, including advanced persistent threats. If the strange behaviour relates to a specific provider’s tech, it may point to a supply-chain attack of some kind.

Your mouse or keyboard seemingly gaining a life of their own; carrying out meaningful, intentional actions; could indicate a RAT. Remote access trojans allow hackers to remotely view and control your device. Even IoT devices aren’t safe – if they start acting strangely, this could indicate some kind of IoT malware.

How to Deal With it

If you experience any sudden changes in device behaviour, and especially if you suspect a RAT sniffing around, disconnect any affected devices from the internet immediately, run antimalware scans, and call in the experts.

IoT malware usually hangs around in RAM – temporary operational memory – so shutting the device down will generally clear any erroneous instructions from the device. However, that doesn’t stop your IoT device(s) from potentially becoming reinfected. If reinfections occur or abnormal network activity springs up around IoT devices, unplug them and call in some IT security assistance, ASAP.

Traffic Moving Across Non-Standard or Unused Ports

What it Looks Like

Ports represent the way that different kinds of traffic make their way across networks – you can think of them like lanes on a motorway. Each kind of traffic keeps to its respective port – for example, secure web traffic (HTTPS) uses port 443 and email (SMTP) uses port 587.

Security solutions will interrogate these commonly used ports for nasties, so hackers sometimes use alternative compatible ports to evade detection – e.g., sending SMTP traffic through the less secure port 25.

What it Might Mean

Unusual outgoing traffic of any kind can indicate that data is being stolen – either to sell it or leak it; or as part of a ransomware threat. Incoming traffic may hint at hackers carrying out pre-attack recon, a ransomware infection attempt, or a simple hunt for something valuable to steal or extort for cash.

How to Deal With it

The solution here is fairly simple – close any unused or non-standard ports through your firewall and enforce policies that make each type of traffic use their most secure default port. Ensure that all ports in use are being monitored by your firewall and block any suspicious IP addresses involved in the attack. If you use an intrusion prevention system, carefully look at its logs because it’s clearly not doing its job!

However, this won’t magically undo any damage done by having previously open ports.

If you suspect foul play, monitor your traffic, run antimalware scans, and get on the blower to your security provider right away.

Unusual Login Activity or Login Attempts

What it Looks Like

If your team only logs in to your IT at a set time and from a set location, then any kind of login activity outside of that usual pattern should be treated as potentially suspicious. For example, if you’re based in Huddersfield and operate between 8am and 6pm, an attempt to log in to your accounting software from Budapest at 3am is clearly suspicious.

What it Might Mean

Lots of unsuccessful login attempts may imply a “password spraying” attack, where hackers automatically hurl thousands of passwords at a login screen until something works.

A successful login attempt from a strange time or location is considerably more worrying. It means that the hacker had access to the password – or was able to successfully guess it.

How to Deal With it

For good measure, all of that tool’s users should change their passwords, especially users whose accounts were threatened or breached. If Multi-Factor Authentication is available for that login, implement it immediately. Interrogate usage logs, block any suspect IP address(es), invalidate other logged in sessions. Raise a ticket with the software provider if applicable.

Bear in mind that any successful intrusion may embolden criminals to try and breach your company’s privacy further. If you’re in any doubt, reach out to your friendly, neighbourhood cyber security provider!

Unexpected Password Changes or “Forgotten Password” Attempts

What it Looks Like

This could be as simple as coming into work one day, going to log in to something, only to find that your password has been changed without your knowledge. Alternatively, depending on the solution in question, you may have received a handful of verification emails or messages stating that a change of password has been requested.

What it Might Mean

If a password on a network server, a crucial cloud storage repository, or a router has been changed, then that’s understandably a massive cause for concern. Breaches involving CRMs and accounting software are also incredibly worrying due to the sensitive nature of that data.

If a password to a cloud productivity tool (like Office 365) has been compromised, then that user’s email address is also likely compromised, along with all of the worrying implications of access to sensitive company information.

How to Deal With it

If you are able to log in, choose the option to log out of all other devices/sessions, immediately change all passwords, and implement MFA – ASAP. If you aren’t able to log in to an account that contains sensitive information, raise the issue with the software provider and the ICO as a matter of urgency.

If something highly critical like a network server, a router, or a firewall has been breached, then you likely need security experts in your corner – and quickly!

Mysterious Endpoint Software, Processes, or Settings Changes

What it Looks Like

If a PC, smartphone, or other endpoint device suddenly has new software installed; new processes or Windows services running in the background; or their settings changed with no input from the user, then this could indicate a cyber incident.

What it Might Mean

This is all textbook malware behaviour. It could be any kind of malware you care to mention – worms, trojans, keyloggers, RATs, and ransomware are all possibilities.

How to Deal With it

Firstly, disconnect any affected devices from the network and the internet (including WiFi). Then, run any available antimalware scans. On your remaining “clean” machines, be sure to run any outstanding software updates to minimise the possibility of zero-day vulnerabilities lurking.

The users of the infected devices should use a different, safe, internet enabled device to access any logged in accounts on those infected machines and log out of all other sessions.

If your virus scans find malware, then use their tool to remove or mitigate the threat. If the virus scans come up clean, then you may have been hit with a zero-day vulnerability – an as yet unidentified or unpatched infection. Check in with your software vendors and investigate cyber security news outlets online for any hints of new malware doing the rounds.

Also, if you’re able, take a look at your recent network traffic. Are you able to see how the malware has entered your network or moved across it at all? If in any doubt, call a cyber security expert for help.

Mysterious Server Software, Processes, or Settings Changes

What it Looks Like

Finding new, surprising changes on endpoint devices is bad enough, but what do you do if you find new, unexpected processes, software, or settings on a server?!

What it Might Mean

As with the endpoint instance above, mysterious changes to a server can also indicate a malware infection. But servers are often the data backbone of a network, so an infected server is a particularly dire predicament.

How to Deal With it

If you’re able, disconnect the affected server from the network and internet immediately. If you are unsure how long the erroneous software has been present, don’t be tempted to simply reinstate your server from a backup – the backup may be infected too.

Servers tend to house an organisation’s juiciest data and handle its most critical operations, so you need cyber security maestros in your corner ASAP.

Would you be able to identify unusual traffic, suspicious processes, or non-standard port activity? If not, then you need a crack cyber security team to monitor your network and keep you safe.

Whether you need a new firewall, multi-factor authentication, hands-free network monitoring, or urgent incident response the Just Firewalls and/or Just Cyber Security teams will be able to help!

Book a discovery call with the team today!