Application security news never stops, and it can be hard to follow all of the incidents that are #AppSec related. In this roundup, I've picked a handful of the most significant news items from January 2019.
Credential Stuffing Attacks are increasing, and free raw material is abundant
Credential stuffing attacks are becoming increasingly common and visible. Two especially visible examples occurred in the last couple of months – Warby Parker and DailyMotion. For more information on credential stuffing attacks, including anatomy of an attack and a diagram, visit the OWASP site here.
A “megabreach” was also discovered this month. As with most such “megabreach” credential dumps, this one seems to be a merged list of multiple older breaches, with a few million newer credentials in the mix.
Troy Hunt’s HaveIBeenPwned has integrated this list, in case you want to check on your credentials.Our latest #AppSec blog discusses credential stuffing, megabreaches, and includes resources to help you find out if you are a victim. Click To Tweet
The UK government is working with several other nations to track and apprehend WebStresser users
The National Crime Agency, working with law enforcement partners from 14 countries, has taken action against a number of cybercriminals website users linked to four million attacks across the globe.
This latest action is part of Operation Power Off, which pursues those individuals and services responsible for committing or facilitating DDoS (Distributed Denial of Service) attacks.
Mirai is back with as a new variant primarily exploiting a ThinkPHP vulnerability
The Mirai bot is back as a new variant called Yowai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks. Here's SC Media how Hakai and Yowai botnets work:
Yowai is the new Mirai malware. Find out more in this #AppSec blog from Barracuda Product Manager Tushar Richabadas. Click To Tweet
Once the Yowai botnet infects the router it uses dictionary attack in an attempt to infect other devices while the affected router becomes part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.
Automated attacks against 2FA implementations and reCATPCHA bypass PoC’s
Two new PoC’s came out in the last month, that show the limitations of Two Factor Authentication and reCAPTCHA.
A Polish researcher, Piotr Duszyński, released Modlishka, a tool that acts as a reverse proxy. Modlishka sits between the user and website, and proxies all the traffic to the website. The victim receives authentic content from the legitimate site –let's say for example Google– but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.
A group of MIT researchers released unCaptcha v2, a tool that can defeat reCAPTCHA with 90% accuracy. This was an update to the original unCaptcha tool. The tool is built to defeat reCAPTCHA by using the audio captcha feature – it downloads the audio captcha and runs it through multiple online speech-to-text services, processes the resulting output and uses the output to solve the CAPTCHA.
Get protection for websites and applications from cyber-threats with the Barracuda Web Application Firewall. Visit our corporate site here to learn more and get a free 30-day trial.
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda. Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation. Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.