New RAT Hijacks COM Objects for Persistence, Stealthiness
Posted on October 31, 2014 by Kara Dunlap in Security
Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.
The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.
The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.
What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.
COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.
When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.
Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.
“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.
Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.
COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.
In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.
Tags: 
Cash-out Crew Manager Sentenced to 21 Months in Prison
Posted on October 28, 2014 by Kara Dunlap in Security
A Massachusetts man has been sentenced to 21 months in prison for using information hacked from customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies in a plot to steal $ 15 million.
Robert Dubuc, 41, of Malden, Mass., previously pleaded guilty to charge of wire fraud conspiracy and conspiracy to commit access device fraud and identity theft.
According to court documents, Dubuc and 50-year-old Oleg Pidtergerya of Brooklyn – who has also pleaded guilty – were asked by leaders of the conspiracy to participate in a “cash-out” scheme to help steal money from compromised bank accounts. Pidtergerya managed a cash-out crew in New York for the cyber-ring’s leaders while Dubuc controlled a cash-out crew in Massachusetts for the organization.
Authorities believe Oleksiy Sharapka, 34, of Kiev, Ukraine, directed the conspiracy with the help of Leonid Yanovitsky, 39, also of Kiev.
According to authorities, hackers gained unauthorized access to the bank accounts of customers of more than a dozen organizations ranging from Citibank to E-Trade to the U.S. Department of Defense. After obtaining access to the bank accounts, Sharapka and Yanovitsky allegedly diverted money to bank accounts and pre-paid debit cards they controlled. They then turned to the cash-out crews to withdraw the stolen funds, authorities said.
Both Sharapka and Yanovitsky are under indictment in the United States and remain at large, according to the U.S. Department of Justice.
In addition to the prison term, Judge Sheridan sentenced Dubuc to serve three years of supervised release and pay restitution in the amount of $ 338,685. Sentencing for Pidtergerya is scheduled for Dec. 22.
Brian Prince is a Contributing Writer for SecurityWeek.
Tags:
Hackers Target Ukraine’s Election Website
Posted on October 26, 2014 by Kara Dunlap in Security
KIEV – Hackers attacked Ukraine’s election commission website Saturday on the eve of parliamentary polls, officials said, but they denied Russian reports that the vote counting system itself had been put out of action.
The www.cvk.gov.ua site, run by the commission in charge of organising Sunday’s election, briefly shut down. Ukrainian security officials blamed a denial-of-service (DDoS) attack, a method that can slow down or disable a network by flooding it with communications requests.
“There is a DDoS attack on the commission’s site,” the government information security service said on its Facebook page.
The security service said the attack was “predictable” and that measures had been prepared in advance to ensure that the election site could not be completely taken down.
“If a site runs slowly, that doesn’t mean it has been destroyed by hackers,” the statement said.
A report on Russia’s state news agency RIA Novosti quoted a statement on the personal website of the Ukrainian prosecutor general saying that the electronic vote counting system was out of order and that Sunday’s ballots would have to be counted by hand.
The commission spokesman, Kostyantyn Khivrenko, called the RIA Novosti report a “fake”.
“The Central Election Commission will issue preliminary results of the voting with the help of the Vybory information-analytical system. This system is working normally,” he said.
The Ukrainian Security Service (SBU), the country’s lead internal security agency, said that “the physical protection of the central server and its regional components has been ensured”.
“Any statements regarding the alleged successful unauthorised intrusions into the cyber space of the Central Election Commission or the elements of the elections systems do not correspond to the facts. Hackers are controlling nothing,” Markiyan Lubkivskyy, an adviser to the SBU chief, said.
An SBU spokeswoman told AFP that attacks on the election commission’s site began a week ago, “but so far we have dealt with them”.
Outdoor video screens hacked?
The cyber troubles came as Ukraine prepared for an election overshadowed by a bloody pro-Russian insurgency in the country’s east and the annexation by Russia of the Crimean province in the south.
Pro-Western and nationalist parties are expected to dominate the new parliament. In another possible sign of cyber tensions, the Ukrainska Pravda news website on Friday reported that outdoor video screens across Kiev were briefly hacked.
The screens, which are used for advertising, including pre-election political ads, reportedly started to display “scary and horrible images,” the report said.
Engineers went out “to physically unplug” the screens, according to the report.
The report could not be confirmed, but footage on YouTube purporting to capture the incident showed a street screen abruptly switching to footage of destroyed buildings and dead bodies, as well as the images of two nationalist politicians running for parliament, with the words “war criminals”.
© AFP 2013
Tags:
Recently Patched Flash Player Vulnerability Added to Exploit Kit
Posted on October 23, 2014 by Kara Dunlap in Security
An exploit for a Flash Player vulnerability that was patched just over one week ago by Adobe has already been added by cybercriminals to an exploit kit.
The French malware researcher know as “Kafeine” was the one who first noticed the integration of the exploit for CVE-2014-0569, a Flash Player integer overflow flaw that could lead to arbitrary code execution, into the Fiesta exploit kit. The expert made the discovery while trying to analyze a different Flash vulnerability (CVE-2014-0556).
The vulnerability was reported to Adobe privately through HP’s Zero Day Initiative (ZDI) program so everyone is wondering how the cybercriminals managed to get their hands on the exploit in such a short period of time.
Kafeine told SecurityWeek that he believes the cybercriminals reverse engineered the patch released by Adobe to build their exploit.
“The criminals built this vulnerability into an exploit kit in record time. Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” Jerome Segura, senior security researcher from Malwarebytes Labs, told SecurityWeek. “Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”
“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase. This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later,” Segura added.
Initially, Kafeine believed the exploit for CVE-2014-0569 was integrated into the Angler exploit kit as well, but in an update made to his original blog post, the researcher noted that the exploit included in Angler actually appears to be for a different Flash vulnerability patched by Adobe last week.
In the case of the Angler exploit kit, the first payload that’s distributed is Bedep (detected by Malwarebytes as Trojan.FakeMS.ED), which enrolls infected computers into a botnet. The final payload is a variant of the notorious Zeus banking Trojan, Kafeine said.
Both the Fiesta and Angler exploit kits are popular among cybercriminals. Angler was recently involved in a malvertising campaign targeting several high-profile websites, including Java.com.
Tags:
PHP 5 Updates Fix Several Security Vulnerabilities
Posted on October 20, 2014 by Kara Dunlap in Security
PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.
According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.
One of the security bugs, CVE-2014-3669, is a high-severity integer overflow vulnerability in PHP’s “unserialize()” function. When the function is used on untrusted data, the flaw could lead to a crash or information disclosure. It’s unclear at this point if arbitrary code execution is also possible, says an advisory for this bug published on the Red Hat Bugzilla website. The issue only affects 32-bit systems.
Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2014-3668. The medium-severity security hole, which is caused by an out-of-bounds read flaw in the “mkgmtime()” function, could lead to a crash of the PHP interpreter.
CVE-2014-3669 and CVE-2014-3668 were reported to PHP in September by a researcher from Geneva, Switzerland-based IT security firm High-Tech Bridge.
Otto Ebeling, a software engineer at Facebook, reported a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. This heap corruption affecting the “exif_thumbnail()” function has been assigned CVE-2014-3670.
“PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file,” Ebeling wrote in his report. “Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption.”
“To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked,” the expert explained.
According to Ebeling, the affected code is also included in the open-source virtual machine HHVM.
PHP 5.4, 5.5 and 5.6 users are advised to update their installations as soon as possible. Additional information on the fixes is available in the changelogs.
Tags:
Researchers Hide Android Applications in Image Files
Posted on October 17, 2014 by Kara Dunlap in Security
AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.
Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.
In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.
In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.
According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.
How does it work?
The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.
Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.
The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.
When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.
Tags:
Massive Oracle Security Update Lands on Microsoft Patch Tuesday
Posted on October 15, 2014 by Kara Dunlap in Security
Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.
Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.
But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.
“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”
The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.
The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.
In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.
MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.
“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”
MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.
“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”
The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.
Adobe Systems also released patches today to address issues in Adobe Flash Player.
“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”
Brian Prince is a Contributing Writer for SecurityWeek.
Tags:
Advantages and drawbacks regarding the Access Application for SharePoint 2013
Posted on October 14, 2014 by Kara Dunlap in SharePoint
Tags: SharePoint 2013
Enterprise Personal & Collaboration
Why are Accessibility 2013 Apps Great? Below tend to be a couple of elements …
They’ve a SQL online host backend
You can use SQL online server Reporting Solutions, Excel or any other products that uphold SQL Azure or SQL internet host over ODBC to create reports regarding the Access Application information
Once you utilize App Layouts or Tables, places as well as navigation are produced available
There are some new relevant Product commands which make framework views effortless and they have a constant appearance and feel
One Click Production!
The appearance capability is created in and also is user-friendly
What tend to be SharePoint 2013 Apps?
It enables designers to develop custom-made applications that would be released toward Workplace shop for general public download or even to the organization mag which can be a business’s internal Application Brochure Site after that users can download all of them with their SharePoint web pages. Included in the out-of-box apps is an Accessibility Application which makes it easy for Access 2013 data resources to be included to SharePoint 2013 internet sites.
Precisely what may be the Access App?
This out-of-box, no-code application allows us to put Gain access to data resources into SharePoint and comes with some really great functions (step-by-step over) that I will truly get involved in slightly more specific within the next parts. The event of the application will be provide a much more dependable, quicker also durable option for placing relational information directly into SharePoint with no issue of creating including creating one thing from the floor up. Microsoft Office get access to 2013 includes a few themes for Accessibility internet Apps along with tables which will get you began.
Top Get Access To App Work
It’s an incredible dissimilar to generating an inventory in SharePoint whenever you comprehend it will increase to-be a “large listing”. Not only does it help deal with big directories including provide fast option of the information, it also enables outside SQL Server including SQL Azure suffered resources getting option of the data.
Want to know just how it works?
When you produce the application in Microsoft Workplace Access 2013, you decide on the internet site where it will definitely live.
In the process introducing the program to SharePoint, a SQL database is provisioned that may house all the items and data that application requires.
The database that’s produced is particular to your application also automatically maybe not shown other programs.
Once you develop a table within application, a table is created inside repository.
Once you generate a question within app, a SQL host Sight is produced or if perhaps your inquiry takes a parameter, a table-valued function is developed.
Whenever you produce a Standalone Macro within application, a Stored treatment is done in SQL online server.
Sights in Accessibility will be the the different parts of your app that show the information within the internet browser. They’re in addition kept in the information supply but as message simply because tend to be HTML and JavaScript as opposed to SQL items.
Other Really Fantastic Benefits which can be Well Worth Mentioning
When establishing the get access to Application, you are able to choose from one of several easy as really as quick templates or start from scratch amongst a personalized software. That’s it, in just a couple of ticks you have got an operating SharePoint Application. Either technique, once you’ve in fact designed your database, mouse click release Application and also you have actually a no-code software in SharePoint that consist of a search device.
It makes it possible for designers to create custom applications that can be posted to your Office Establishment for community down load or even the Corporate Catalog that is a business’s interior Application mag Site then users can install all of them to their SharePoint internet sites. Consisted of within the out-of-box apps is an Accessibility App that makes it easy for Accessibility 2013 information resources become put into SharePoint 2013 web pages.
Microsoft Workplace Access 2013 comprises of a few themes for Accessibility online Applications and tables that undoubtedly acquire you started.
When building the Access App, you’ll pick from among simple as well as fast design templates or start from scrape with a personalized application. Regardless, once you’ve made your database, mouse click Introduce Application including you’ve got a no-code software in SharePoint that features a search device.
By Amy Sawtell, December 10, 2013
Source: http://www.cardinalsolutions.com/cardinal/blog/portals/2013/12/the_pros_and_consof.html
The future of Microsoft depends upon Windows being free of cost
Posted on October 13, 2014 by Kara Dunlap in Microsoft Windows
The worth of OS upgrades has actually been entirely shed in a time where we’re useded to getting complimentary updates to cell phones as long as they can continuously deal with the software program. Why does this same design not apply to the PC yet? Microsoft has taken on cost-free upgrades for Windows Phone already, so why not for the COMPUTER?
Microsoft has remained peaceful on what its prepare for Windows rates in future, yet did make it free of cost for customers to update from Windows 8 to 8.1 as well as we understand the upgrade from 8 to 10 will be free, however will this proceed? The company lately revealed Windows 10 however didn’t detail whether it would be an additional free upgrade or otherwise; nevertheless, it probably should be a totally free upgrade for a lot of Windows customers.
It requires to decouple the business and consumer markets if Microsoft wishes to preserve it’s iron hold on the future COMPUTER market. It’s entirely sensible to expect businesses to pay to authorized software– even if just to get extended updates as well as assistance– yet expecting completion individual to care sufficient to invest over $100 to update every 2 years is absurd.
For lots of consumers, Windows upgrades are straight tied to when they change their COMPUTER’s. Why else would certainly numerous individuals not also bother to update from XP? Their PC’s are flawlessly efficient in running Windows 7, however why would they wish to pay $130 merely to obtain the most up to date software application? Change could be tough and instead of troubling to pay and also upgrade for a new permit, these customers have actually chosen to remain on unsupported versions due to the fact that it ‘works’ fine.
Making Windows complimentary has a variety of tangible perks for Microsoft; not just does it urge customers to update frequently (and takes out mostly all barriers to doing so), it suggests that users are more likely to make use of the most up to date version of Microsoft products and connected services. It additionally means that Microsoft could eliminate all the perplexing and also needless SKU options and concentrate on 2 markets: consumer and venture.
Envision Windows 10 was made free of cost for all users from Vista as well as up– the install base would rapidly move to the latest variation (similar to OS X users, or iOS users flock to the latest release), suggesting less heritage support for Microsoft and the capacity to promote bigger numbers. The firm might simply have a different version and a demand for those using Windows in company situations.
Because it’s cost-free for numerous residence users to obtain the most recent model of Windows, it seems likely that these exact same users would be much more about to spend for associated services using registration as an alternative, like OneDrive or Office365, which would certainly total up to a lot a lot more repeating profits for the company.
I anticipate that Microsoft has actually already pertained to this same, unpreventable verdict and will certainly make Windows 10 complimentary for those utilizing Windows 7 as well as up. It’s most likely a tough choice for the company– Windows is a $5 Billion a year business– yet it’s a crucial one, that it has to make in order to stay appropriate.
As less and fewer PC’s are sold each year, the business should look for various other methods to generate income by offering assisting solutions on a longer term basis as opposed to attempting to persuade individuals to dip the money on an upgrade every three years.
Consumers simply aren’t purchasing brand-new computers any longer as they last longer or change to depending phones as well as tablet computers, so Microsoft has to seek brand-new means of obtaining revenue, beyond Windows. Windows will become the conduit for consumers to acquire Microsoft solutions.
The days of paid Windows upgrades have fulfilled their end, even if Microsoft hasn’t already confessed it.
Photo credit history: Getty Images
There are a few slots left for our UX Style program. Get your own today.
Keep in mind the days when you would certainly move out to the shop to select up the most current variation of Windows, on DVD, for something like $130? Those days could appear in the remote past, yet in truth Microsoft is still charging for upgrades between significant models also as of Windows 8.1.
Microsoft has taken on free of cost upgrades for Windows Phone already, so why not for the PC?
For several consumers, Windows upgrades are directly linked to when they replace their COMPUTER’s. Their COMPUTER’s are completely capable of running Windows 7, yet why would certainly they wish to pay $130 simply to obtain the most recent software?
- By Owen Williams, thenextweb.com
- View First
WordPress is the Most Attacked CMS: Report
Posted on October 12, 2014 by Kara Dunlap in Security
Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.
The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 – April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.
“WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet,” the report reads.
This year’s WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.
When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.
Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.
Compared to the previous period reviewed by the company (June 1, 2012 – November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.
As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.
“In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” the report reads.
“While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack.”
Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.
The complete Web Application Attack report from Imperva is available here.
Tags:
