Thought leadership. threat analysis, news and alerts.
3 Most Common Web Application Security Vulnerabilities
Almost all organizations today have an online presence, mostly in the form of an official website. While these websites open a window of opportunities for organizations, these same websites are at times a bane to organizations as these are becoming attractive targets for cyber attackers.
What Are Web Application Security Vulnerabilities?
One of the ways by which cyber attackers wreak havoc on corporate websites is by exploiting the security vulnerabilities in web applications.
Web applications, also known as web apps, refer to software programs that run in a web browser. A web application can be as simple as a contact form on a website or a content management system like WordPress. Web application security vulnerabilities, meanwhile, refers to system flaw or security weakness in a web application.
Web applications are gateways to a trove of data that cyber attackers find attractive and easy to steal. Every time website visitors sign up for an account, enter their credentials or make a purchase via an official corporate website, all this data, including personally identifiable information, is stored on a server that sits behind that web application. Exploiting a security vulnerability in a web application allows attackers to access the data stored on that server.
Imperva, in its “State of Web Application Vulnerabilities in 2018”, reported that the overall number of new web application vulnerabilities in 2018 increased by 23%, that is, 17,308 web application vulnerabilities, compared to 2017 with only 14,082 web application vulnerabilities.
Most Common Web Application Security Vulnerabilities
Here are the 3 most common security vulnerabilities affecting web applications:
Based on Imperva’s data, the number one web application vulnerability in 2018 was injection, representing 19% of the web application vulnerabilities last year. In an injection attack, an attacker inserts or injects code into the original code of a web application, which alters the course of execution of the web app.
According to Imperva, the preferred method of attackers last year to inject code into web applications was remote command execution (RCE) with 1,980 vulnerabilities.
Remote command execution allows an attacker to remotely take over the server that sits behind a web application by injecting an arbitrary malicious code on the web app. The Equifax data breach that exposed highly sensitive data of millions of U.S. customers, as well as thousands of U.K. and Canadian consumers, is an example of a cyberattack that used the injection method, in particular, remote command execution.
Attackers gained access to the data of millions of Equifax’ customers by exploiting the vulnerability designated as CVE-2017-5638in the web application used by the company. At the time of the attack, Equifax then used an outdated Apache Struts, a popular open source framework for creating enterprise-grade web applications.
Despite the advisory from the Apache Software Foundation, the organization that oversees leading open source projects, including Apache Struts, to update the software to the latest version, Equifax failed to do so, leading the attackers to breach the sensitive data of millions of the company’s customers.
On March 7, 2017, the Apache Software Foundation issued a patch or security update for CVE-2017-5638 vulnerability. On May 13, 2017, just a few days after the CVE-2017-5638 patch was released, attackers started their 76-day long cyberattack on Equifax, this according to the findings of the U.S. House Oversight Committee.
2. Cross-Site Scripting
The second most common web application vulnerability is cross-site scripting. According to Imperva, cross-site scripting ranked as the second most common vulnerability in 2018, representing 14% of the web application vulnerabilities last year.
Cross-site scripting, also known as XSS, is a type of injection in which malicious code is inserted into a vulnerable web application. Unlike injection in general, cross-site scripting particularly targets web visitors.
In a cross-site scripting attack scenario, an attacker, for instance, embeds an HTML tag in an e-commerce website’s comments section, making the embedded tag a permanent fixture of a webpage, causing the browser to read the embedded tag together with the rest of the original code every time the page is opened, regardless of the fact that some site visitors don’t scroll down to the comments section.
The injected HTML tag in the comments section could activate a file, which is hosted on another site, allowing the attacker to steal visitors’ session cookies – information that web visitors have inputted into the site. With the stolen session cookies of site visitors, attackers could gain access to the visitors’ personal information and credit card data.
3. Vulnerabilities in Content Management Systems
Imperva’s State of Web Application Vulnerabilities in 2018 also showed attackers are focusing their attention to vulnerabilities in content management systems, in particular, WordPress.
Attackers are focusing their attention on WordPress as this content management system powers nearly one-third of the world’s website. Data from W3Techsshowed that as of late December, last year, WordPress usage account for 32.9% of the world’s websites, followed by Joomla and Drupal.
According to Imperva, the number of WordPress vulnerabilities increased in 2018 despite the slowed growth in new plugins. Imperva registered 542 WordPress vulnerabilities in 2018, the highest among the content management systems. The WordPressofficial website, meanwhile, reported that only 1,914 or 3% from the total 55,271 plugins were added in 2018.
Ninety-eight percent of WordPress vulnerabilities are related to plugins, Imperva reported. Plugins expand the features and functionalities of a website. WordPress plugins are, however, prone to vulnerabilities as with this content management system (being an open source software), anyone can create a plugin and publish it without security auditing to ensure that the plugins adhere to minimum security standards.
Web Application Attack Prevention
A web application firewall (WAF) is one of the best cybersecurity solutions that your organization can employ against web application vulnerabilities.
Trust the experienced team that protects hundreds of sites and applications. Protect your web application within 10-minutes and keep cybercriminals at bay. Get started today!
NASA Data Breach May Have Put Personnel Information at Risk
In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.
It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.
Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.
At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).
However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.
The Importance of Effective Cybersecurity
For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.
An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.
Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.
The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.
Common Cybersecurity Pitfalls
It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?
A lack of education
Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.
Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.
This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.
Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.
Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.
Depending on outdated security
Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.
While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.
If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.
Physical security oversights
Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.
Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.
Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.
Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.
This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.
While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.
Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?
Just reach out and get in touch!
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
How Advanced Persistent Threat (APT) Attacks Work
The final report of the Committee of Inquiry (COI), the body tasked to investigate Singapore's worst cyber-attack in its history, concluded that an unnamed Advanced Persistent Threat (APT) group was behind the country’s worst-ever cyber-attack.
“The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group,” COI said in its final report.
COI was tasked with looking into Singapore’s worst-ever cyber-attack: the data breach on Singapore Health Services Private Limited (SingHealth). The COI report(PDF) released to the public last January 10th is a redacted version of the final report, barring sensitive information that could further harm SingHealth.
The unnamed Advanced Persistent Threat group, the COI said, illegally accessed SingHealth’s database and illegally removed personally identifiable information of 1.5 million patients, including their names, addresses, genders, races, and dates of birth between the period of June 27, 2018 to July 4, 2018. Out of the 1.5 million affected patients, nearly 159,000 of these patients also had their outpatient dispensed medication records exfiltrated. The personal and outpatient medication data of Singapore’s Prime Minister were part of the illegally accessed and removed data.
What Is an Advanced Persistent Threat (APT) Attack?
An Advanced Persistent Threat (APT), as the name suggests, is a threat that’s “advanced”, which means that sophisticated hacking techniques are used to gain access to a system, and this threat is “persistent”, which means that the attacker or attackers remain inside the compromised system for a prolonged period of time, resulting in destructive consequences.
APT attacks on nation states, such as the attack on SingHealth, and large corporations are often highlighted. APT attackers are, however, increasingly launching APT attacks on smaller organizations that make up the supply chain in order to gain access to large organizations. APT attackers gain ongoing access to a system through the following series of events:
1. Initial Access
Attackers could gain initial access to a system through various means. It could be through a known software vulnerability that’s left unpatched. In unpatched security vulnerability, a software security update is available but for whatever reasons this update hasn’t been installed.
Attackers could also gain access to a system through phishing attacks – cyber-attacks that use an email as a weapon. In a phishing attack, the victim is tricked into clicking a link or downloading an attachment inside an email masquerading as coming from a legitimate entity.
In the case of the SingHealth cyber-attack, the COI said, “The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks.”
2. Establishing Footholds
Once the attackers gain initial access to the system, they then attempt to establish a foothold or footholds in the system. In establishing a foothold in the system, attackers typically implant a malicious software (malware) into the system to scan and move around the system undetected.
In the case of the SingHealth cyber-attack, the COI said the attacker used a “suite of advanced, customized, and stealthy malware” to stealthy move within the system and to find and exploit various vulnerabilities in SingHealth’s system. According to COI, a number of security vulnerabilities in the SingHealth network were identified in a penetration test in early 2017, which may have been exploited by the attacker. At the time of the cyber-attack, COI said a number of these vulnerabilities remained.
3. Intensifying Access
Attackers intensify their access within a system by gaining administrator rights – the highest level of permission that’s granted to a computer user.
In the case of the SingHealth cyber-attack, the COI said the group responsible for the SingHealth data breach gained administrative access to SingHealth’s servers as the said servers weren’t protected with 2-factor authentication (2FA), enabling the attacker to access the servers through other means that didn’t require 2FA.
4. Stop, Look and Remain
APT attackers are a patient bunch. These attackers are willing to wait for days, months and even years to achieve their goal, for instance, to remove critical data, only at the right moment.
In the case of the SingHealth cyber-attack, the COI said that while the group responsible for the SingHealth data breach was able to infiltrate SingHealth’s servers for months, it was only on June 26, 2018 that the group obtained credentials to the SingHealth’s database containing trove of patients’ data, and then started to remove the trove of data from June 27, 2018 until July 4, 2018.
On July 4, 2018, an administrator at Integrated Health Information Systems Private Limited (IHiS) noticed the suspicious activities and then worked with other IT administrators to terminate the exfiltration of data. IHiS was responsible for implementing cyber security measures and also responsible for security incident response and reporting at SingHealth.
Prior to the July 4, 2018 discovery, COI said, IHiS’ IT administrators first noticed the unauthorized logins into SingHealth’s servers and failed attempts at accessing the patients’ database on June 11, 12, 13, and 26, last year.
Two major findings by the COI in the SingHealth cyber-attack stand out:
First, remediating the security vulnerabilities identified in early 2017 penetration test would have made it more difficult for the attacker to achieve its objectives.
Second, while the attacker operated in a stealthy manner, it wasn’t silent as the IHiS’ staff, in fact, noticed unauthorized activities prior to the actual data exfiltration. Recognizing these unauthorized activities as signs that a cyber-attack was going on and taking appropriate action could have prevented the actual data exfiltration.
Contact ustoday if you need assistance in protecting your organization from Advanced Persistent Threat (APT) attacks.
Cyber Attack Disrupts Operations of Major U.S. Newspapers
Cyber criminals ended 2018 with a high-profile cyber attack, this time, attacking Tribune Publishing’s network, resulting in the disruption of the news production and printing process of some of the major newspapers in the U.S.
The Los Angeles Timesreported that what was first thought as a server outage at Tribune Publishing’s network was later identified as a cyber attack. Tribune Publishing once owned Los Angeles Times and San Diego Union-Tribune. These 2 newspapers were later sold to a Los Angeles biotech entrepreneur. Despite the sale, these 2 newspapers still share Tribune Publishing’s printing networks.
As a result of the cyber attack at Tribune Publishing, the distribution of the December 29thprint edition of these 2 newspapers was delayed. The distribution of the December 29thprint edition of The New York Times and The Wall Street Journal newspapers was also delayed as these two major newspapers share the use of Los Angeles Times’ Olympic printing plant – as the name implies, also used by the Los Angeles Times.
The cyber attack on Tribune Publishing also disrupted production of other Tribune Publishing newspapers. Tribune Publishing currently owns Chicago Tribune, New York Daily News, The Baltimore Sun, Orlando Sentinel, South Florida's Sun-Sentinel, Virginia’s Daily Press and The Virginian-Pilot, The Morning Call of Lehigh Valley, Pennsylvania, and the Hartford Courant.
Chicago Tribune, for its part, reported that its December 29thprint edition was published without paid death notices and classified ads as a result of the cyber incident at Tribune Publishing.
Marisa Kollias, Tribune Publishing spokeswoman, said in a statement that by December 30th, production and delivery were back on track at all concerned newspapers. She didn’t, however, address the details about the cyber attack itself.
“We acted promptly to secure the environment while ... creating workarounds to ensure we could print our newspapers,” Kollias said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.”
While authorities and Tribune Publishing are silent about the cause of the cyber attack and whether the attacker or attackers asked for a ransom, the Los Angeles Times and Chicago Tribune reported that several individuals with knowledge of the situation said the cyber attack bore the signature of Ryuk ransomware.
What Is Ryuk Ransomware?
Ryuk is a malicious software (malware) that’s categorized as a ransomware. In a ransomware attack, all or selected files in a computer infected by the ransomware are encrypted – the process of converting plaintext or any other type of data into encoded version, denying legitimate users access to these files.
Ransomware victims are informed of the file encryption via a notice shown on the monitor of the infected computer. This notice also functions as a ransom notice. Ransomware is characterized by the fact that victims are asked to pay ransom, typically in the form of cryptocurrency like Bitcoin (also referred as BTC) in the promise that once ransom is paid, a decryption key to unlock the encrypted files would be given.
Ryuk was first reported by security researchers at Check Pointon August 20, 2018. The researchers said that 2 weeks prior to August 20th, Ryuk perpetrator or perpetrators attacked various organizations worldwide, earning the attackers over $640,000 in just a span of 2 weeks.
Check Point researchers said Ryuk’s early attacks encrypted hundreds of personal computers, storage and data centers in each infected organization. Some organizations paid large ransom in order to retrieve their files. The highest recorded payment was 50 BTC, then priced nearly $320,000.
According to Check Point researchers, Ryuk is a highly targeted attack, which requires “extensive network mapping, hacking and credential collection” prior to each operation. In addition to encrypting files in the local drives, Ryuk also encrypts network resources.
Analysis of Ryuk conducted by Check Point researchers showed that this ransomware is similar in many ways with another ransomware called “Hermes”. The attack at Far Eastern International Bank (FEIB) in Taiwan in October 2017 brought Hermes into public attention. While Hermes exhibited typical characteristics of a ransomware in the FEIB attack, it acted as a diversion only as the attackers’ ultimate goal was to steal money. The FEIB attackers stole $60 million in a sophisticated SWIFT attack, but the total amount stolen was later retrieved. Unlike Hermes, Ryuk functions not as a diversionary tactic but as the main act.
Here are some similarities in Hermes and Ryuk that led the Check Point researchers to conclude that whoever wrote the Ryuk source code had access to the Hermes source code (to date, the source codes of Ryuk and Hermes aren’t publicly available):
Similarity in Encryption Logic
The encryption logic in both Hermes and Ryuk is similar in structure.
Whitelisting of Similar Folders
Both Hermes and Ryuk encrypt every file and directory except “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”. One explanation why attackers want victims to access search engines like Chrome and Mozilla is to allow victims to search online what the ransom note means.
Here are some best security practices in order to prevent or minimize the effects of ransomware attacks like Ryuk:
Implement Network Segmentation
Network segmentation is the practice of splitting a corporate network into subnetworks. This practice ensures that if one subnetwork is infected with a malware like Ryuk, the other subnetworks won’t be infected. In addition to improving security, network segmentation also boosts efficiency.
Back-Up Critical Files
These are the main reasons why organizations are willing to pay an exceptionally large amount of ransom to cyber attackers: a) victims want to retrieve their files back as these files are important to their existence, and b) victims have no copies of these critical files. Organizations that practice regular back-up of critical files can afford not to pay ransom to attackers.
Contact us today if you need assistance in protecting your organization’s resources from ransomware attacks.
Steve E. Driz, I.S.P., ITCP