Report: Web application attacks continued to rise in 2017


Newly released data shows that web application attacks continued to rise significantly in both the quarter-over-quarter and year-over-year timeframes, according to the Third Quarter, 2017 State of the Internet / Security Report released by the world’s largest cloud delivery platform, Akamai Technologies, Inc.

In addition, further evaluation of the Mirai botnet and WireX malware attacks suggests that attackers may leverage IoT and Android devices to build future botnet armies.

In a press release, Akamai says the report found that the number of web application attacks last quarter (Q3 2017) increased 69% in total from the same timeframe last year (Q3 2016). In the last quarter alone, web application attacks rose 30% as compared to the second quarter of 2017. Over the last year, a 217% increase in attacks sourcing from the U.S. was seen, with an increase of 48% in the last quarter as compared to the prior one.

SQL injection (SQLi) attacks continued to be heavily utilized by attackers as a part of the significant rise of web application attacks. This attack vector increased 62% since last year, and 19% since last quarter. The significant increase in web application attacks, particularly “injection” attacks like SQLi, should come as no surprise as the latest version of the OWASP Top 10 2017 that came out last week has “injection” (inclusive of SQLi) as the top ranked vulnerability category. This new iteration is the first major update to the OWASP Top 10 since 2013, when “injection” also resided in the top spot.

Perhaps more alarming was the result of taking a closer look at the Mirai botnet and encountering the introduction of WireX malware. While smaller than its predecessor, the Mirai malware strain, which uses Internet of Things (IoT) devices, was responsible for the largest attack seen in Q3 at 109 Gbps. The ongoing Mirai activity, coupled with the introduction of WireX, which commandeers Android devices, highlights the vast potential that exists for new sources of botnet armies.

“The lure of easy access to poorly-secured end nodes and easily-available source code make it likely that Mirai-based attacks won’t be fading in the near future,” said Martin McKeay, senior security advocate and senior editor, State of the Internet / Security Report. “Our experience suggests that an army of new potential attackers comes online every day. Couple with that, the ubiquity of Android software and the growth in the Internet of Things are amplifying the risk/reward challenges that enterprises face to tremendous levels.”

 The report says recent headlines reflected some of the most far-reaching cyber security incidents seen to date, from Yahoo’s revelation that all of its 3 billion accounts had been compromised, to the Equifax breach that exposed the sensitive data of 146 million Americans. Meanwhile, estimates of the severe financial impact of the second quarter’s NotPetya malware outbreak began to roll in, with multiple companies reporting that the ransomware cost them hundreds of millions of dollars each.

While these incidents grab headlines, the reality is that more common attacks, like DDoS and web application attacks, can be just as disruptive to an organization. These attacks are happening with greater frequency to businesses of all sizes and across all industries. In q3, Akamai saw the number of both DDoS attacks and web application attacks rise quarter over quarter, increasing by 8% and 30%, respectively. Median attack size also increased, as did the frequency of attacks per target.

Although traditional attack vectors and platforms remain popular and effective, cyber criminals continue to advance their arsenals. This quarter, we saw the continued leveraging of Mirai malware, which uses Internet of Things devices, as well as the introduction of WireX, which commandeers Android devices. Both highlight the vast potential that exists for new sources of botnet armies.

Distributed Denial of Service (DDoS) attacks are costly — they can bring down sites, disrupt businesses, and divert resources. They can also be used to provide cover for more insidious data or system breaches. In the third quarter, DDoS attacks continued q2’s upward trend, rising another 8%. The average number of DDoS attacks per targeted customer also continued upward, increasing to 36 — on average, more than one attack every three days. On the high end, a single Gaming customer endured 612 DDoS attacks in the third quarter alone — an average of nearly seven attacks for every day in the quarter.

The third quarter also saw the introduction of WireX — notable not only as one of the first large Android-based botnets, but also for the way it propagated. Consumers around the world unsuspectingly downloaded the malware via legitimate-looking infected apps in the Google Play Store. Although WireX spread quickly, a joint effort by several companies — including Akamai — demonstrated the power of cross-industry collaboration in successfully taking down WireX while still in its relative infancy. However, like Mirai, WireX can be expected to persist, evolve, and flourish. Organizations need to be prepared for the possibility that much larger DDoS attacks might occur at any time, as new techniques are continually being developed.

In contrast to DDoS attacks, web application attacks tend to target application vulnerabilities — rather than trying to overwhelm the website — in order to steal data or otherwise compromise the underlying system. Web application attacks are far more common than DDoS attacks, and their frequency makes them both easier to ignore and potentially more damaging. Unfortunately, these types of attacks are continuing to grow more common each quarter, with attack frequency jumping 30% in q3. Fully 85% of the attacks leveraged either sql injection or Local File Inclusion, the top two attack vectors.