Three of the four most prevalent attack techniques observed were used by LulzSec during their summer hacking rampage.
Nearly a year ago, this column recommended explaining the enemy to management as a first step in protecting the organization’s data against the hacker industry. The suggestion remains valid. However, as security is taking a seat in the executive roundtable, we’re starting to hear more voices asking the security teams for more information. They hear about SQL injection, but what does that mean to the general public? How prevalent are the attacks? In an attempt to provide a deeper picture for management – and not get too bogged down in details - this column will focus on describing and quantifying the most prevalent attacks.
Many of the provided stats are taken from recent research such as the Web Application Attack Report (WAAR) that was published as part of Imperva’s Hacker Intelligence Initiative (HII), a research effort undertaken to help organizations understand the threat landscape. In the case of the WAAR report, the research was conducted during a six-month period from December 2010- May 2011. The report analyzed Web attack traffic targeted against 30 Web applications of all sizes as well as TOR traffic. Interestingly, three of the four most prevalent attack techniques observed were used by LulzSec during their summer hacking rampage.
Web Attack Technique #1: SQL Injection (SQLi)
SQL Injection (SQLi) is an attack technique that exploits a Web application vulnerability in order to access the organizations’ data in an unauthorized manner. Take for example a Web form. A hacker exploiting a SQLi vulnerability could insert some computer code into the username field rather than the actual user’s name. The code could be as simple as ‘1=1’ or be much more sophisticated and attempt to bypass simple defense measures or gain certain knowledge about the system’s setup. A vulnerable application will process the code and start coughing up sensitive data.
SQLi in the Wild
According to the Privacy Rights Clearinghouse, over 312 million records were compromised by external hacking events since 2005. Some 262 million of these consisted of breaches at TJX, Heartland Payment Systems and RockYou – all SQLi attacks. While the SQLi vulnerability celebrated its 10th anniversary this year, we can see it still tops the charts and accounts for at least 83% of all successful hacks. Earlier this year, a SQLi attack against Sony resulted in the compromise of 77 million credit cards. Even Lady Gaga’s site was hacked by SQLi.
As the WAAR report showed, SQLi attacks represented of 23% of all overall attacks – both successful and not. In the past nine months, different monitored Web applications suffered 50-100 attacks per hour, and about 1,100 daily attacks on average. However, during an attack, the rate of attack spiked and occasionally there were days where 8,000 SQLi attack attempts were concentrated against the applications.
Web Attack Technique #2: Remote File Inclusion (RFI)
In this setting, a Web application is programmed to upload an external file. However, if the application is vulnerable to a Remote File Inclusion attack, the hacker can replace that reference with any file of her own. Once the malicious script is uploaded, the server is under control of the hacker. The hacker can glean information, manipulate data and even upload a malicious executable.
RFI in the Wild
The following snippet is taken from the LulzSec chat logs. It shows that RFI was one of the techniques used by the group to conduct their attacks.
lol - storm would you also like the RFI/LFI bot with google bypass i was talking about while i have this plugged in? lol - i used to load about 8,000 RFI with usp flooder crushed most server :D
As we can see, LulzSec used bots to carry out RFI attacks, which led to the crashing of the servers (in other words, using RFI as a technique to conduct a DDoS attack). In fact, this was the technique used to bring down the CIA public website. RFI is not a widely discussed attack and is often overlooked. But Lulzsec proved the consequence of such a vulnerability when they exploited it to help ambush their targets.
According to the WAAR, RFI attacks account for 4% of the top four most prevalent attack types. A large portion of RFI attacks were part of a comprehensive high-volume attack on a Web application during a very short period such as an hour.
Web Attack Technique #3: Directory Traversal (DT)
As the name hints, in a directory traversal attack, a hacker traverses the Web application’s file directory in an attempt to find hidden files that were inadvertently exposed to the application. Say for example a parent directory should not be accessed. By exploiting a DT vulnerability, a hacker will be able to retrieve information from the directory by using special characters such as the ‘.’, which requests to “traverse” to the file’s parent directory.
DT in the Wild
Surprisingly, this was amazingly WAAR’s most observed attack technique, taking up 37% of the top four most prevalent attack types. This too is an attack technique we do not hear much about. But the prevalence of the attacks forces us to take a closer look at this technique. What we found is DTs are commonly used for reconnaissance. When the hacker extracts enough information about the targeted victim, it can proceed to carry out an additional attack. In particular, this attack was mainly used in conjunction with RFI attacks: the DT maps out the vulnerabilities for a subsequent RFI attack to exploit.
Web Attack Technique #4: Cross Site Scripting (XSS)
A successful Cross Site Scripting attack allows the hacker to execute scripts in a victim’s browser. The script may redirect the visitor to an attacker-controlled website, to steal user credentials or simply to insert hostile content.
XSS is a peculiar attack. With XSS, the attacker abuses the trust between the application and the user. It is not a web attack per se against the server, but rather against the site’s visitors. However, this type of attack still continues to fall under the responsibility of the site administrators since the exploit occurs due to existing flaws on the server side.
XSS in the Wild
Numerous applications suffer from XSS vulnerabilities. Even Microsoft’s fastest growing product to date – Sharepoint- has been found vulnerable to this attack, and Redmond’s latest patch included a fix to this. Hackers are quick to leach onto this type of vulnerability and LulzSec has been known to also use XSS as part of their hacking arsenal.
|Part in a Series on Cybercrime - Read Noa's Other Featured Cybercrime Columns Here|
According to the WAAR, this attack was the second most prevalent, accounting for 37% of the top four Web attacks techniques. As mentioned, this attack is targeted against the victim, yet the WAAR which focused on traffic conducted against applications was able to monitor this traffic. What then does this number indicate? The observed traffic was actually the laying of the foundation of a grander scheme – a Search Engine Poisoning (SEP) scheme. SEP abuses the ranking algorithms of search engines to redirect the victim to a malware-serving website. With SEP via XSS, the hacker finds high-ranking sites vulnerable to XSS. With this list in hand, the hacker creates newly constructed URLs to contain the high-ranking site, popular keywords and the relevant XSS code. The hacker then places these specific URLs in forums and discussion groups which get indexed by search engines. Due to the high-ranking of the vulnerable sites, as well as the popularity of the keywords, these crafted URLs show up early in search engine results. A victim who clicks on these links will then be redirected to the attacker-controlled server due to the XSS code.
My previous column ended with my promise to discuss the value of reputation-based controls. However, I realized that to discuss this aspect we need to provide the greater context of what is the actual Web attack traffic. With this in mind, in the next column these dues will be paid and we’ll see how this type of data helps us to enhance security controls.