Security
Headlines
HeadlinesLatestCVEs

Headline

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

DARKReading
#sql#xss#vulnerability#web#ssrf#auth#ssl

Indusface’s research on 1,400+ Web apps, mobile apps, and APIs revealed that open vulnerabilities remain cybercriminals’ most significant attack vector.

According to the report, 829 million attacks were blocked on the AppTrana WAF in the fourth quarter of 2022, a 79% increase from the third quarter.

The alarming finding is that 61,713 open vulnerabilities were found, which is a 50% jump from the third quarter. The number of open vulnerabilities directly relates to the increased threat actors.

How can you protect them? The best option is to fix known vulnerabilities using virtual patching at the WAF level while blocking attacks.

Critical Vulnerabilities Found on Applications

While any vulnerability carries a risk to your business, here are the top 10 high/critical vulnerabilities that hackers attempted to exploit during the fourth quarter of 2022:

  • Server-side request forgery
  • HTML injection
  • Cross-site scripting (XSS)
  • TLS/SSL server certificate will expire soon
  • Script source code disclosure
  • SQL injection
  • SSL certificate common name mismatch
  • TLS/SSL server certificate expired
  • Untrusted TLS/SSL server certificate
  • Insecure Direct Object References

Prioritize addressing these vulnerabilities if you have not done so already.

Cost of Vulnerabilities

A single vulnerability can invite thousands of cybersecurity troubles. Poodle, Heartbleed, EternalBlue, and Shellshock are just a few of the vulnerabilities that open businesses to security threats.

The report found 31% of vulnerabilities have been open for 180+ days. And 1,700+ of these are rated as critical and high vulnerabilities.

So, what happens if you don’t patch the vulnerabilities? A failure to maintain this responsibility could have severe effects, including potential security breaches.

Back in 2017, the massive Equifax security breach made headlines. Hackers exploited the known vulnerability CVE-2017-5638 in their app framework and gained access to the company’s system.

This breach exposed the personally identifiable information (PII) of 147 million people. Two years after the breach, the company said it spent $1.4 billion on cleanup costs and revamping its security program. Equifax agreed to pay up to $700 million to settle claims related to the breach.

The breach’s total cost is likely higher than the reported settlements and expenses. It also includes intangible costs such as loss of trust, brand reputation, and long-term impact on the business.

Managing Vulnerabilities With Virtual Patching

Security patches play a vital role in dealing with vulnerabilities. They patch up the security gaps and resolve the risks. After all, successful exploitation means an insecure configuration or missing security control.

The patching process can, at times, be challenging. Many companies turn to virtual patching to protect their apps on the Web application firewall (WAF) when a system can’t be patched immediately.

Virtual patching is a vulnerability shield that secures apps during your risk window and beyond. It enables you to scale your coverage and responses accordingly with appropriate defense, which can be applied in minutes or hours. Thereby, it reduces the risk of exposure to vulnerabilities.

Virtual patching is attained by implementing a security policy layer in the WAF. It eliminates application vulnerabilities without changing the codebase.

Companies can leverage virtual patching in two ways to mitigate vulnerabilities:

  1. Core rules
  2. Custom rules

The Indusface report found that the WAF core rule set blocks 40% of requests, and custom rules block 60%.

Why Are the Custom Rules Gaining Momentum?

Core rules are predefined, standardized, based on industry best practices, and designed to protect against known vulnerabilities. Security experts typically create these rules. Core rules are easy to implement and can provide high protection.

Since most dev teams work on sprints that are a few weeks long, vulnerabilities keep getting added with the changing code.

Most companies leverage weekly scans and periodic penetration testing on applications. Since fixing these on code will be long and arduous, product owners rely on WAF’s custom rules to plug these vulnerabilities while their dev team focuses on shipping features.

Whenever the teams get to a security-focused sprint, they fix these vulnerabilities in the code.

Virtual patching is also used as a risk mitigation mechanism. For instance, we have observed that geofencing is gaining popularity in the custom rule category as application owners look to limit traffic from geographies where the application is not designed to be used. The other example is blacklisting or whitelisting IPs that are used to allow traffic to the application.

False Positive Monitoring

While the power of custom rules is undisputed, they also add the burden of monitoring applications for false positives.

In talking to several security leaders, one consistent theme that we keep hearing about is the lack of skilled security practitioners who can manage a complex application like a WAF/WAAP.

The other challenge is the worsening economy; security teams are increasingly being asked to do more with less.

We are seeing an increased trend of product owners relying on managed services to help with virtual patches and guarantee no false positives.

Conclusion

If the attackers discover a piece of exploitable code, the next step is taking advantage of the vulnerability.

The sooner you deploy the virtual patching, the sooner attackers look elsewhere. Keep your WAF running to ensure your security and bottom line.

About the Author

Venky is an application security technologist who built the new-age Web application scanner and cloud WAF AppTrana at Indusface as a founding CTO. Currently, he spends his time on driving product road map, customer success, growth, and technology adoption for US businesses.

Related news

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

By Deeba Ahmed The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection. This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

CVE-2022-26482: Security Center

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel