Man
Professional
- Messages
- 3,059
- Reaction score
- 585
- Points
- 113
The BI.ZONE WAF cyber threat analytics and research department has studied the statistics of attacks on web applications protected by our solution. We compared this information with the results of the analysis of shadow resources that our specialists have been monitoring since 2011. In this article, we will tell you how the methods of attackers have evolved.
To find targets, the attacker used a list of registered domain names for the last year. It is quite easy to prepare such a list using open data, and then using crawler utilities like CMS-Finder, you can find the URIs of web admin panels, used template engines, versions of web interpreters, and so on.
As a result, the attacker received a list of vulnerable target web resources. At the next stage, this list was processed using harvester utilities, which automatically selected logins and passwords for admin panels and uploaded web shells (often WSO) to web application servers. When detecting versions of applications or web interpreters with known vulnerabilities, basic exploits could also be used.
The attackers also used fuzzer utilities: WebCruiser, SQLmap, XSSer, RouterSploit, etc. They allowed sending hundreds of payloads with different web attacks to application servers — maybe something would work.
As a result, the attacker gained permanent remote access to the compromised resource. The method is fast enough, so the attacker could launch utilities in several threads, from different devices and from different networks. Thus, in one day, it was possible to create 30-200 web shells on hacked sites and servers.
In addition, the architecture of web applications has changed significantly. Firstly, it has been transformed from monolithic to microservice, and the compromise of one module does not always lead to hacking of the entire system. Secondly, request routing, which was previously carried out on the basis of files, is now organized by means of frameworks. Finally, thirdly, companies that do not need complex web resources now use SPA-business cards (single page application). Such sites do not even have a proper backend - there is nothing for intruders to hack.
Attackers are now less likely to find a vulnerable server with an outdated CMS or an open port. Scanning attempts run into WAFs and isolated segments, and penetrating the internal infrastructure is incomparably more difficult than before. As a result, the previous model of hacking a host, gaining a foothold, and selling access has become irrelevant.
That is why hackers try to quickly download the data and disappear, without risking being discovered and losing access ahead of time. The stolen data is then put up for sale or becomes publicly available if it is related to hacktivism or politics. For example, databases with password hashes are sold on shadow forums - passwords can be brute-forced and subsequently used for credential stuffing. This is a very popular attack technique, since users often use the same passwords on different resources. If one site "leaks", then accounts on other sites are at risk.
In addition to data theft, a hacked website can be used as a hosting site. Malware is placed on compromised resources to be used later, for example, in phishing campaigns. Such activity is easier to hide from cybersecurity systems: it is one thing when a user downloads an unknown file from a known domain, and quite another when he accesses some random host.
According to our own honeypots, attackers are currently using such web attack techniques as command injection, server-side template injection (SSTI), stacked queries SQL injections, remote file inclusion (RFI), local file inclusion (LFI), shell file uploading, code injection, XML external entity (XXE), insecure deserialization, cross-site scripting (XSS). All of them, except for the last one, can create an RCE threat. Finally, attempts to use exploits against widely known CVEs remain relevant.
The popularity of these methods is directly related to the fact that many powerful EASM (external attack surface management) tools have become publicly available for free. They are designed for continuous penetration testing and essentially perform the tasks of a junior pentester, allowing you to fuzz and scan web applications and network ports, identify vulnerabilities and apply exploits. The most popular utilities are Acunetix, NetSparker, Nessus, Nuclei, NMAP (with NSE scripts), Metasploit Pro, Exploit Pack Premium, Burp Suite Enterprice.
Now, to successfully implement attacks, an attacker only needs to "feed" the tool a list of attacked hosts and calmly go drink tea while the utility itself identifies and applies vulnerabilities. Many major cyberattacks of recent times - we will not specify which ones - began with banal credential stuffing or brute force.
Even if some web application attack techniques remain relevant, the goals of attackers have changed radically. Our study of activity on shadow forums shows that only 2 out of 10 offers are related to selling access via web shells. The rest are trying to make money on data that can later be used for phishing, credential stuffing, brute force and similar attacks. And selling remote access for long-term retention on a web application server has lost its meaning.
Source
How web resources were hacked in previous years
From 2011 to 2018, attackers sold access to hacked web applications on shadow forums. In 90% of cases, the affected systems were content management systems (CMS), CRM systems, as well as web admin panels of servers and network equipment that were “sticking out” in the online environment.To find targets, the attacker used a list of registered domain names for the last year. It is quite easy to prepare such a list using open data, and then using crawler utilities like CMS-Finder, you can find the URIs of web admin panels, used template engines, versions of web interpreters, and so on.
As a result, the attacker received a list of vulnerable target web resources. At the next stage, this list was processed using harvester utilities, which automatically selected logins and passwords for admin panels and uploaded web shells (often WSO) to web application servers. When detecting versions of applications or web interpreters with known vulnerabilities, basic exploits could also be used.
The attackers also used fuzzer utilities: WebCruiser, SQLmap, XSSer, RouterSploit, etc. They allowed sending hundreds of payloads with different web attacks to application servers — maybe something would work.
As a result, the attacker gained permanent remote access to the compromised resource. The method is fast enough, so the attacker could launch utilities in several threads, from different devices and from different networks. Thus, in one day, it was possible to create 30-200 web shells on hacked sites and servers.
How the attackers managed the access they gained
To list all the ways of illegal use of such access, several separate articles will be needed. Let's focus on the most popular scenarios from 2011 to 2018:- Once in the infrastructure, the attacker first tried to understand where he was: looked at configuration files, available rights, data on the system and network interactions. Corporate networks were mostly flat, without segmentation, servers were located in the local infrastructure. Therefore, a hacker could scan the infrastructure from the local network, use some popular exploit to carry out an attack via SMB or RDP. As a result, he essentially created a map, which he then moved along. If the hacked server was located in the company's local network, the attacker tried to scan the network segments to escalate the attack to other devices and applications or try to exit the container / virtual machine. If successful, he could develop a presence in the infrastructure, gain a foothold in it and, for example, create accounts with administrator rights.
- One of the most common cases is database theft. Fuzzer utilities are capable of finding SQL injection opportunities on authentication pages, search forms, etc.: union-based, boolean-based, time-based, or even stacked queries. An attacker, even without much knowledge of SQL syntax, could detect a vulnerability and automatically download the information for subsequent sale. At that time, many companies stored passwords in plain text directly in databases, as a result, attackers could obtain the entire array of credentials, emails, nicknames, which could then be used for credential stuffing or brute-force attacks.
- When a stored XSS vulnerability was detected, it became possible to carry out attacks on users. For example, attackers actively used the BeEF framework, a legitimate pentest tool that, in the wrong hands, allowed a malicious JavaScript library to be introduced into a compromised page. After that, visitors to the site gave attackers access to their data. However, this technique only worked fully against vulnerable versions of the browser, and when the tab with the hacked site was closed, the connection was interrupted.
- Another option for distributing malware is to replace objects of compromised web applications so that when accessing them, the victim receives a malicious file on their device. This is how the well-known Zeus botnet and the Carberp banking Trojan with a bootkit on board worked.
- The attacker could use ransomware to encrypt important web application data and demand a ransom from the owner. In addition, he could not deliver the encryptors himself, but again put access to the vulnerable infrastructure up for sale.
- Access to the server allowed a miner script to be embedded into web pages so that visitors could mine cryptocurrency for the attacker. In some cases, the miner could be launched on the main web application server.
- If a cybercriminal managed to create several web shells, they could be combined into a botnet using utilities like Web Shell Manager. Subsequently, such botnets were used to provide DDoS services or were sold on shadow resources, where they were purchased, for example, by owners of larger botnets that needed replenishment.
- Hacktivists who don't care about money often used the access they gained to deface the hacked resource (replace the original content with an ad, message, picture, or something similar). Such attackers were more likely chasing reputation and trying to imitate movie hackers.
What has changed in recent years
In 2024, more and more organizations and individual website owners host web applications with hosting providers. Even if an attacker breaks into a web application, they will not be able to transfer the attack to the internal infrastructure.In addition, the architecture of web applications has changed significantly. Firstly, it has been transformed from monolithic to microservice, and the compromise of one module does not always lead to hacking of the entire system. Secondly, request routing, which was previously carried out on the basis of files, is now organized by means of frameworks. Finally, thirdly, companies that do not need complex web resources now use SPA-business cards (single page application). Such sites do not even have a proper backend - there is nothing for intruders to hack.
Attackers are now less likely to find a vulnerable server with an outdated CMS or an open port. Scanning attempts run into WAFs and isolated segments, and penetrating the internal infrastructure is incomparably more difficult than before. As a result, the previous model of hacking a host, gaining a foothold, and selling access has become irrelevant.
What are the attackers' current goals?
Unlike the attackers of yesteryear, today's cybercriminals seek to leave a compromised server as quickly as possible. Their behavior pattern is "hacked - downloaded data - left." In rare cases, groups try to break through from the application further into the infrastructure and gain a foothold. As mentioned above, most current web systems are hosted in isolated segments and on external hosting, so no one knows whether there is any practical sense in trying to leave these segments.That is why hackers try to quickly download the data and disappear, without risking being discovered and losing access ahead of time. The stolen data is then put up for sale or becomes publicly available if it is related to hacktivism or politics. For example, databases with password hashes are sold on shadow forums - passwords can be brute-forced and subsequently used for credential stuffing. This is a very popular attack technique, since users often use the same passwords on different resources. If one site "leaks", then accounts on other sites are at risk.
In addition to data theft, a hacked website can be used as a hosting site. Malware is placed on compromised resources to be used later, for example, in phishing campaigns. Such activity is easier to hide from cybersecurity systems: it is one thing when a user downloads an unknown file from a known domain, and quite another when he accesses some random host.
What methods are used in modern attacks?
As a result, as we see from the statistics of cyber attacks on BI.ZONE WAF clients, more than half of the cases of malicious actions against web resources are associated with attempts to implement a vulnerability in the execution of third-party code (remote code/command execution, RCE). The reason for such popularity is that RCE allows you to quickly gain remote access to the server and establish full control over it with the possibility of almost any attack.According to our own honeypots, attackers are currently using such web attack techniques as command injection, server-side template injection (SSTI), stacked queries SQL injections, remote file inclusion (RFI), local file inclusion (LFI), shell file uploading, code injection, XML external entity (XXE), insecure deserialization, cross-site scripting (XSS). All of them, except for the last one, can create an RCE threat. Finally, attempts to use exploits against widely known CVEs remain relevant.
The popularity of these methods is directly related to the fact that many powerful EASM (external attack surface management) tools have become publicly available for free. They are designed for continuous penetration testing and essentially perform the tasks of a junior pentester, allowing you to fuzz and scan web applications and network ports, identify vulnerabilities and apply exploits. The most popular utilities are Acunetix, NetSparker, Nessus, Nuclei, NMAP (with NSE scripts), Metasploit Pro, Exploit Pack Premium, Burp Suite Enterprice.
Now, to successfully implement attacks, an attacker only needs to "feed" the tool a list of attacked hosts and calmly go drink tea while the utility itself identifies and applies vulnerabilities. Many major cyberattacks of recent times - we will not specify which ones - began with banal credential stuffing or brute force.
Conclusion
In 2024, 87% of cyberattacks are not related to unauthorized access, but to information: databases, confidential files, authorization data (email addresses, logins, passwords, full names), materials from corporate and government systems.Even if some web application attack techniques remain relevant, the goals of attackers have changed radically. Our study of activity on shadow forums shows that only 2 out of 10 offers are related to selling access via web shells. The rest are trying to make money on data that can later be used for phishing, credential stuffing, brute force and similar attacks. And selling remote access for long-term retention on a web application server has lost its meaning.
Source
