New report shows that cybercriminals are concentrating their efforts on banks, government, and healthcare
In a new report, Web Application Attacks Statistics 2017, Positive Technologies describes how vulnerabilities in web applications have enabled hackers to damage diplomatic relations, access lists of patients at plastic surgery clinics, steal enormous sums from cryptocurrency exchanges, and perform other far-reaching attacks.
The most common types of attacks remained the same in 2017 as previous years, with cross-site scripting constituting nearly a third of all attacks. Other popular attacks involved the ability to access data or execute commands on the server, including SQL injection, Path Traversal, Local File Inclusion, and Remote Code Execution and OS Commanding.
Government websites were a constant target for attackers in 2017, receiving an average of 849 daily attacks per organization. Last February, hackers modified the websites of embassies and government authorities around the world to feature a script that infects visitors’ computers with spyware. Later in the year, the site of the U.S. National Foreign Trade Council was hacked in a similar attack.
Planting untrue news on trusted websites—such as the official page of a foreign ministry—can spark scandals and international outrage. One such attack was recorded last year in Qatar: fabricated statements were attributed to the country’s emir, leading to a diplomatic row with other countries in the region. Hackers are also attracted to the websites involved in presidential and parliamentary elections. The upcoming 2018 World Cup, being a high-profile international event, is likely to draw a large number of attacks including denial-of-service, defacement attacks and attacks against users.
One dominant trend in 2017 was the boom in cryptocurrency and initial coin offerings (ICOs), an opportunity hackers readily seized upon. In most attacks on cryptocurrency exchanges and ICOs, hackers took advantage of poor web application security. Examples of this are the attacks affecting CoinDash and Enigma Project, where hackers altered the cryptocurrency wallet address displayed on an ICO site so that investors would unknowingly transfer funds to an attacker-controlled wallet.
The report also describes attacks on healthcare web applications, which on average received 731 attacks daily. In one incident involving a Lithuanian plastic surgery clinic, hackers published over 25,000 unclothed “before” and “after” photos of patients. Initially the hackers demanded a ransom from both the clinic (EUR 344,000) and individual patients (up to EUR 2,000).
Attacks on education-focused web applications are typically committed by students eager to “improve” their grades, seeing on average 106 attacks daily.
Positive Technologies detected a relatively low number of attacks on energy and industrial companies — on average, nine a day. These attacks tend to be very dangerous, performed by skilled hackers with intricate planning. The attackers’ goal is two-fold: to access the corporate IT network as well as the process network, where industrial control systems are located.
The most intensely targeted sectors in 2017 were IT and finance (the latter including both banks and e-procurement platforms), which had daily attack rates of 1,014 and 983 respectively. IT companies present an alluring target because of the potential for penetrating clients’ infrastructure. The NotPetya cryptoware outbreak, for instance, started with the hack of an accounting software developer. In the financial sector, most attacks continue to target web application users.
Positive Technologies analyst Leigh-Anne Galloway described what actions businesses should take to protect themselves: “As we have seen from attacks across all sectors, ensuring maximum security for a web application requires auditing through all stages of development and after it is put into production. It’s critical to regularly install any updates available for web application components and use a web application firewall (WAF), which is an essential prevention measure. Without a WAF, hackers can successfully attack within the window of time before vulnerabilities are fully patched.”