Skip to content

CONTRAST LABS: December AppSec Threat Intelligence Report

By Contrast Marketing

January 3, 2018

Thought Leaders

    

Contrast Labs' analysis of real world application attack data from December 2017.

Overview

  • December was a huge month for application layer attacks, with large increases in every category of attack except Padding Oracle. Overall, we saw a 5x increase in attack traffic in December. These attacks included huge increases in SQL injection attacks, attacks on all Struts2 OGNL vulnerabilities (especially CVE-2016-3081 and CVE-2013-2251), and Path Traversal attacks. 
Observations
  • Two new types of attacks on custom vulnerabilities showed up this month. First, attackers attempted to bypass method based access control mechanisms with Method Tampering attacks.  Second, non-Struts2 OGNL Injection attacks almost tripled from November levels.

  • For attacks on custom vulnerabilities, SQLi dominates as the leading attack vector this month, up almost 20% over November and represents over half of all attack traffic. Path Traversal attacks more than tripled in December and XSS attacks were up slightly. Padding Oracle attacks that spiked in October have disappeared in December.

  • On the known vulnerability side, we saw massive increases in attacks on Struts2 OGNL vulnerabilities, particularly CVE-2016-3081 and CVE-2013-2251. Both were up more than 30x from November levels. Clearly attackers are still focused on Struts2.  All CVEs saw increases in attack traffic in December. 

  • We also saw attacks on a few new CVEs. CVE-2017-12616 is a Tomcat JSP source code reveal, and CVE-2014-0112 is an older Struts2 RCE. We believe the attacks on application libraries will continue to increase, and recommend the use of RASP technology to ensure visibility and protection.

  • December saw application layer attacks from 29 countries, 329 cities, and 512 different IP addresses in December. While attacks came from around the world, they overwhelmingly originated in the United States.

Top Attack Vectors

 Table 1. Top Attack Vectors for November 2017

    ATTACK TYPE

% OF TOTAL
(attack volume 
)

  sql-injection

50.42% 

  path-traversal

26.17% 

  reflected-xss

9.68% 

  cve-2013-2251 (Struts2 OGNL Injection)

7.39% 

  command-injection

3.86% 

  cve-2016-3081 (Struts2 OGNL Injection)

1.26% 

  cve-2017-9791 (Struts2 OGNL Injection)

0.62% 

  cve-2017-5638 (Struts2 OGNL Injection)

0.28% 

  cve-2016-4438 (Struts2 OGNL Injection)

0.13% 

  method-tampering

0.12% 

  ognl-injection

0.04% 

  cve-2017-12616 (Tomcat JSP source code reveal)

0.01% 

  cve-2014-0112 (Struts2 RCE)

0.00%  
  JBoss Remote Exploit 0.00%  
  padding-oracle 0.00%  

 

Attack Geolocation

Not much change in the countries doing the attacking.  The United States, Poland, Netherlands, and France were responsible for the majority of attacks. As always, we caution that attackers may be using hosts in the United States to launch their attacks.

Table 2. Top Attack Volume by Country for November 2017  

COUNTRY

  % OF TOTAL
(attack volume )

  United States 57.49% 
  Poland 2.42% 
  France 0.93% 
  Netherlands 0.78% 
  Croatia 0.47% 
  Russia 0.06% 
  Italy 0.05% 
  Canada 0.03% 
  China 0.02% 
  Vietnam 0.02% 
  India 0.01% 
  Pakistan 0.00% 

 

Table 3. Top Attack Volume by City for November 2017 

     CITY

    COUNTRY

    % OF TOTAL

  Ashburn

US

32.69%

  Chesterfield

US

10.05%

  Chatanooga

US

4.53%

  San Jose

US

3.14%

  Knoxville

US

2.85%

  Murfreesboro

US

0.51%

  Pula

Croatia

0.47%

  Usol'ye-Sibirskoye

Russia

0.06%

  Manassas

US

0.06%

  Arezzo

Italy

 0.05%


  

devops-security

Contrast Marketing

Contrast Marketing