The image below shows the number of servers vulnerable to the Heartbleed vulnerability that was reported and fixed in 2014. The bigger problem? All of these are internet connected servers as of July 2017.
In October 2016, Andrey Leonov reported a successful breach of Facebook. Using the ImageTragick vulnerability, he was able to perform command injections and retrieve sufficient information to provide Facebook with proof of exploitation. Facebook patched the issue, and rewarded him. ImageTragick was fixed in May 2016, a full 5 months before the exploit.
On the 24th of September 2015, researchers published a report that showed that the scans for the Shellshock vulnerability were going up. 24th of September 2015 was the second anniversary of it’s disclosure – along with the fixes for the vulnerability.
Most website hacks happen because of outdated versions of software that have not been patched. Vulnerabilities in software are exploited almost immediately – especially zero-day vulnerabilities. The people who discover these vulnerabilities then “sell” them to other malicious actors who will further profit from them. Typically, automated exploit kits are created for a set of vulnerabilities; these kits are then used to scan through thousands of servers, identify the vulnerable servers and hack into them. Very often, the kits leave a backdoor open on the website, for future use.
An example of this can be seen in the recent flurry of WordPress website attacks. The WordPress released a set of patches for previously unknown vulnerabilities. Exploit toolkit authors took that as an input to create a toolkit to hack all known vulnerable WordPress websites within a matter of days. Another example? On the weekend of 12th and 13th March 2017, two Canadian government sites were taken down after they were hacked. The vulnerability in question was in Apache Struts and was disclosed on the 8th of March by Talos. Attacks against both vulnerabilities continued to rise.
Unpatched websites/software/applications are a fact of life. Patches and upgrades may break existing functionality. A WordPress site may use an obscure plugin which provides much-needed functionality. The author of the plugin no longer maintains it, and it doesn’t work with any version released in the last two years. Fixing this will require new development, testing and finally a roll-out – in which time the site can be compromised multiple times. An organization may have a small system admin team which looks after all its IT needs. When a patch is released, they would need to do an analysis of the vulnerability, identify systems that need to be patched, test the patch and then roll it out to production. All of this takes time and effort that the team may not be able to spare immediately.
One of the easiest ways of stopping these exploits? Use a Web Application Firewall and a compatible vulnerability scanner. A Web Application Firewall, like the Barracuda WAF provides a hardened front-end that stops all application attacks, including Application DDoS attacks, that differ from volumetric DDoS attacks. Vulnerability scanners help find vulnerabilities in both the application and the WAF configuration. The scanner report can then be imported into the compatible WAF to virtually patch any misconfigurations, providing complete protection for your web application.
Today’s malicious actors can purchase exploitation kits that allow them to hack thousands of sites at the click of a button. They then use these hacked sites either for extortion, or to infect users with malware or to launch attacks against other sites. Any of these activities will harm your reputation and cause serious damage to personal and professional branding – not to mention financial loss. Keeping up with vulnerabilities and patches is a time sink with no end. An investment in a Web Application Firewall provides you with easy protection against all these attempts and saves your time and effort to grow your business.
The Barracuda Web Application Firewall is a state-of-the-art Web Application Firewall that protects web, mobile and API applications against all types of web attacks. It uses a set of positive and negative security techniques to defend against all attacks – including those for previously unknown vulnerabilities.
The Web Application Firewall is made more powerful by the Barracuda Vulnerability Remediation Service (BVRS). WAF customers use the BVRS to scan applications that they want to secure with the WAF. The report generated by this scan can be turned into an active configuration for the WAF that was used to run the scan. This often completes the deployment and configuration process for that WAF.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.