2018 was a very long, eventful year in Application Security. There were many good things that came into place – the new OWASP Top 10 list (pdf) (late 2017, but close enough 😉), GDPR and similar laws that have created financial incentives for firms to secure user data, and a general rise in awareness for the need for web app security, patching and the like. It was, however, also a bumper year for attackers, and to me, is the year the Data Breach Notification became mainstream. (By mainstream, I mean that people who normally would not have thought about these breaches have heard of them and understand the consequences.)
Looking at the trends in terms of attacks over the last year, I see three clear attack vectors that have become very popular and will become a bigger problem in 2019 and beyond.Account takeover (ATO) attacks using bots, exploits, and credential dumps, are expected to increase over the next year. Plan and deploy defenses like attack detection and 2FA to protect yourself from this attack.Click To Tweet
The first one is Account Takeover attacks using bots and credential stuffing. Over the years, we’ve become used to massive automated exploit campaigns, like the one a couple of years ago where 5000 websites were backdoored in a very short period. In the last two years, this automated approach to hacking has also naturally expanded to account takeover attacks. Starting with the basic SentryMBA tool and going into bespoke tools that perform low and slow attacks, this type of breach has become more prevalent. The many breaches that occurred with websites from Ashley Madison, LinkedIn, Twitter to vBulletin message boards have provided attackers with huge credential “dumps” to perform these attacks.
At its core, an Account Takeover attack is simple to execute. Simply visit one of the many forums that provide free “ComboLists” for SentryMBA, check out the tutorials linked on the websites, identify your target and…. you’re good to go! Of course, in practice, there are many variables in play, including the security level of your target, but the general principle is similar in most of these cases.
Organizations will see a significant uptick in these attacks. Defenses, including two-factor authentication, attack detections and more need to be planned, and put in place with proper alerting systems to detect and block these attacks.APIs are becoming increasingly common, and API security is not where it should be. There's has been an explosion in API exploits and we expect this to continue throughout 2019. Companies need to focus on API security. Click To Tweet
The second trend is the rise of attacks against APIs. We wrote about some of the malicious vulnerabilities that were found last year, and the trend has continued, with Facebook, Amazon, and Google being affected by these attacks. The two API breaches at Google resulted in the demise of the Google+ social platform, while the one at Amazon was (relatively) more benign, without any impact on actual user information. The Facebook leak was massive, resulting in the loss of login tokens for 50 Million users.
APIs are becoming increasingly common as more systems are interconnected and depend on other systems to deliver functionalities. API security is not as good as it should be at this time – most APIs are not used directly by consumers and weren’t widely exploited until very recently. This has led to an explosion in their exploitation – especially more so since they typically provide a direct interface to critical data with ease. API protection is another place where companies need to focus on this year, to avoid major data breaches. We’ve written earlier about APIs, including the possible attacks, challenges and how to securely deliver APIs with the Barracuda WAFx product family. This should serve as a good starting point to learn more.
Magecart is the most popular version of the third trend – Supply Chain Attacks. Over the years, most applications have used third-party libraries and scripts as part of the software supply chain. Attacks against these third parties used to happen from time to time, but in 2018 they’ve become an alarming new trend. The trend came to light when Magecart was first discovered in the wild. The Magecart attack group used popular third-party scripts that were used in e-commerce sites (typically built on Magento – hence Magecart) and compromised them at the source. The compromised scripts were then used to steal credit card and PII from a variety of sources such as British Airways, Cathay Pacific, Oxo, NewEgg, Ticketmaster and more. The scale of the attacks has been massive, and the attackers have taken special precautions to ensure to hide the compromise indicators from researchers and scanning tools.Supply chain attacks will continue to increase over the next year. Validating file hashes, enforcing Sub Resource Integrity (SRI) and hosting only validated versions of third-party software for usage are critical to application security Click To Tweet
Beyond Magecart, other supply chain attacks have also gained prominence. One recent attack was on PHP Pear, where the maintainers have discovered that the downloads available on their site were replaced with malicious downloads, about 6 months ago. This attack is similar to the ones on Linux Mint and Transmission and highlights the need for being careful when downloading and using third-party software.
With supply chain attacks, developers need to exercise a great deal of caution when using third-party software and scripts. Steps such as validating file hashes, enforcing Sub Resource Integrity (SRI) and hosting validated versions of third-party software for usage go a long way in securing your applications.
Attackers are doing what they do best, since the advent of web applications – innovating methods to fool defenders. The trends point to them becoming increasingly clever – they’re finding newer ways to compromise applications with lesser effort and are trying very hard to make sure they are not detected very easily. 2019 is going to be a busy year for defenders, and we at Barracuda are here to ensure you sleep easy.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.