Government remained among the most targeted industries for web application attacks during the second quarter of 2017, according to recent data released by cybersecurity company Positive Technology.
The report details the most common types of web application attacks by industry sector, as well as the objectives, intensity and time distribution of web application attacks. The report compares Q2 2017 data to data from previous quarters to draw out trends.
At 1,184 average attacks per day, government followed only the IT sector (1,346) as the most targeted industry for web application attacks in Q2 2017.
Across all industries, cross-site scripting (XSS) attacks occurred most frequently, comprising 39.1 percent of all attacks. Researchers noted that XSS attacks were “consistently high” throughout Q2, with 100 to 250 recorded every day.
SQL injection (24.9 percent) was the second most frequent attack. Information leakage (4.6 percent) and XML injection (4.2 percent) remained prevalent across sectors. Researchers noted, “In Q2, attackers showed more interest in attacks on application users. Most attacks were intended to access sensitive information.”
Within the government sector specifically, data reflect broader trends. The top attacks included XSS (49 percent), SQL injection (20 percent), information leakage (18 percent) and denial of service (6 percent). Researchers noted that these types of attacks align with threat actors’ motives for targeting the government sector:
Within the critical infrastructure sectors of energy and manufacturing, the data diverged slightly from cross-industry averages. SQL injection (48.1 percent), operating system commanding (36.4 percent), server-side template injection (7.8 percent) and path traversal (5.4 percent) were most common. The different methods can be explained by attackers’ motives:
Analysis of Findings
Perhaps the most interesting finding in the report is an exploit employed against a common vulnerability in two different industries for different purposes.
Within the energy sector, researchers detected a remote command execution for OS commanding. Threat actors exploited an Apache Struts vulnerability (CVE-2017-5638) in the attack. If that vulnerability doesn’t ring a bell, it should. It’s the same vulnerability threat actors used in the Equifax breach.
The Struts patch for this previous zero-day vulnerability was released in early March 2017. Analysts began detecting the first attempts to exploit the vulnerability about a month later, on April 3. Researchers noted:
Threat actors continued a broader trend of linking distinct tactics, techniques and procedures across the cyber kill chain to systematically test defenses. This was most prevalent in the energy sector via SQL injection attacks. The researchers noted that, while threat actors became slightly less active compared to Q1, there were some notable attacks. One involved 35,135 SQL injection attempts from the same Internet Protocol address.
Researchers explained, “When looking for vulnerabilities caused by insufficient filtering of SQL query input, attackers tend to search intensively. The most powerful web application attack in Q2 was a search for SQL Injection vulnerabilities by brute-forcing all possible parameters, with a total of over 35,000 requests sent by the attacker.”
The SQL injection attacks also point to the increasing automation of attacks, which aligns with the findings of the SANS Institute’s 2017 data protection survey. The SANS authors noted the current asymmetric threat environment, in which threat actors are automating attacks while defenders remain burdened by manual processes.
The complete report is available online.