- Security TWENTY
- Women in Security
Vulnerabilities in web applications have enabled hackers to damage diplomatic relations, access lists of patients at plastic surgery clinics, and steal from cryptocurrency exchanges, according to an IT security firm’s report, Web Application Attacks Statistics 2017.
The most common types of attacks remained the same in 2017 as previous years, with cross-site scripting constituting nearly a third of all attacks, said
Positive Technologies. Other popular attacks involved the ability to access data or execute commands on the server, including SQL injection, Path Traversal, Local File Inclusion, and Remote Code Execution and OS Commanding.
Government websites were a constant target for attackers in 2017, receiving an average of 849 daily attacks per organisation. Last February, hackers modified the websites of embassies and government authorities, to feature a script that infects visitors’ computers with spyware. Later in the year, the site of the United States National Foreign Trade Council was hacked in a similar attack.
Planting untrue news on trusted websites, such as the official page of a foreign ministry, can spark scandals and international outrage. One such attack was recorded last year in Qatar: fabricated statements were attributed to the country’s emir, leading to a diplomatic row with other countries in the region. Hackers are also attracted to the websites involved in presidential and parliamentary elections. The football 2018 World Cup, as a high-profile international event, is likely to draw a large number of attacks including denial-of-service, defacement attacks and attacks against users, the report suggests.
One trend in 2017 was the boom in cryptocurrency and initial coin offerings (ICOs), an opportunity hackers readily seized upon. In most attacks on cryptocurrency exchanges and ICOs, hackers took advantage of poor web application security. Examples of this are the attacks affecting CoinDash and Enigma Project, where hackers altered the cryptocurrency wallet address displayed on an ICO site so that investors would unknowingly transfer funds to an attacker-controlled wallet.
The report also describes attacks on healthcare web applications, which on average received 731 attacks daily. In one incident involving a Lithuanian plastic surgery clinic, hackers published over 25,000 unclothed “before” and “after” photos of patients. Initially the hackers demanded a ransom from both the clinic (EUR 344,000) and individual patients (up to 2,000 euros). Attacks on education-focused web applications are typically committed by students eager to “improve” their grades, seeing on average 106 attacks daily.
The IT firm detected a relatively low number of attacks on energy and industrial companies — on average, nine a day. These attacks tend to be very dangerous, performed by skilled hackers with intricate planning. The attackers’ goal is two-fold: to access the corporate IT network as well as the process network, where industrial control systems are located.
The most intensely targeted sectors in 2017 were IT, and finance (including banks and e-procurement platforms), which had daily attack rates of 1,014 and 983 respectively. According to the report, IT companies present an alluring target because of the potential for penetrating clients’ infrastructure. The NotPetya cryptoware outbreak, for instance, started with the hack of an accounting software developer. In the financial sector, most attacks continue to target web application users.
Positive Technologies analyst Leigh-Anne Galloway said: “As we have seen from attacks across all sectors, ensuring maximum security for a web application requires auditing through all stages of development and after it is put into production. It’s critical to regularly install any updates available for web application components and use a web application firewall (WAF), which is an essential prevention measure. Without a WAF, hackers can successfully attack within the window of time before vulnerabilities are fully patched.”
For a copy of the full research report visit: https://www.ptsecurity.com/ww-en/premium/web-attacks-2017/.