Pierluigi Paganini July 31, 2013

FireHost Secure cloud hosting company issued Q2 2013 Superfecta report that revealed a sharp increase in blended, automated attacks.

FireHost announced the Q2 2013 Superfecta report, an interesting set of statistic related to attacks against web applications. The Superfecta is a group of four attack types considered by the FireHost Secure cloud hosting company as being the most dangerous for company businesses, to be precise they are Cross-site Scripting (XSS), Directory Traversals, SQL Injections, and Cross-site Request Forgery (CSRF).

Following the definition provided for Superfecta:

• Cross-site Scripting (XSS) – Cross-site scripting involves the insertion of malicious code into webpages in order to manipulate website visitors. It is used by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users.
• Directory Traversal – A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
• Cross-Site Request Forgery (CSRF) – CSRF is an attack that forces an end user to execute unwanted actions on a Web application in which he/she is currently authenticated.
• SQL Injection – SQL Injection involves the entering of malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. The attack vector has been associated with many high profile data breaches.

FireHost examined more than 24 million cyber attacks observing a meaningful increase for Cross-Site Request Forgery and  SQL Injection, the concerning trend is attributable to the large diffusion of automates attack tools. Automated attacks allow attackers conduct various types of offensives on a large scale and in short time, data stealing, malware spreading, DDoS attacks and vulnerability exploiting are activities really easy to conduct also without any particular expertise.

Another concerning data proposed by Q2 2013 Superfecta report is that blended and automated attacks are conducted by criminals that are exploiting cloud service provider networks.

FireHost experts state in the Q2 2013 Superfecta report to have blocked more than 1.2 million attacks in Q2, they highlighted that the smallest percentage increase (0.7 %) in XSS attacks suggests that this type of  attack is commonly used in conjunction with other exploits, probably to allow an attacker to gain access to more complex attack vectors.

“Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure,”  “Many cloud providers unfortunately don’t adequately validate new customer sign-ups so opening accounts with fake information is quite easy. Once the account is created, APIs can be leveraged to deploy a lot of computing power on fast networks giving a person the ability to create a lot of havoc with minimal effort.” said FireHost founder and CEO Chris Drake.

According many security experts cyber criminals are targeting hosting services to gather information to use in successive attacks. Recently the APWG Global Phishing Survey revealed that hackers are targeting shared virtual servers for various purposes such as bot recruiting and malware distribution, following an excerpt from the study:

“In late 2012 into 2013, we have seen increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel, and Joomla installations. For example, beginning in late 2012 criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. And in April 2013, a perpetrator launched wide-scale brute force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing. These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry.”

Cybercriminals are also enumerating target workstation clients to identify software VPN connections to shared services platforms and accordingly, taking over workstations to gain access into cloud environments.

Following the Key statistics for the Q2 2013 Superfecta report include:

• Total number of all attack types blocked by FireHost in Q2 2013: 24,074,406 (This includes low level attacks that are automatically blocked by FireHost’s IP Reputation Management “IPRM” filters)
• Superfecta attacks increased by six percent during the quarter with a total number of 3,643,620 blocked in Q2 2013 (up from 3,410,212 in Q1 2013)
• XSS was the most prevalent Superfecta attack type in Q2 2013 – with more than 1.2 million attacks being blocked, 33 percent of the total Superfecta attacks
• SQL Injections now represent 18 percent of all Superfecta attacks, CSRF attacks are now 26 percent of the Superfecta total. Both have grown in volume since Q1 2013.

Pierluigi Paganini

(Security Affairs – Firehost Q2 2013 Superfecta report, cybercrime)