July 2019 AppSec Intelligence Report: Attack Edition

July 2019 AppSec Intelligence Report: Attack Edition

What is this report: This report summarizes Contrast Labs' analysis of real world application attack data from July 2019. It utilizes data from attacks that Contrast observed over the previous months and highlights the key trends found. 

Who should read this: Developers, product owners, AppSec, and security engineers can use the information to better understand application security threats, adjust their security controls accordingly, and improve their security posture. 

Frequency: Through reading this report on a monthly cadence, AppSec teams can gain a better understanding of the possible types and origins of attacks and attackers that you might see.

To learn more about how Contrast directly measures both vulnerabilities and attacks in parallel across your application portfolio, please visit our website.

KEY OBSERVATIONS

• In July, Contrast saw a 25% increase in total attacks compared to June. This correlated with 35% increase in attacks per application.
• 9% of these attacks were connected to a vulnerability within an application. The other 91% were probes and did not connect with a corresponding vulnerability within the target application. This is down significantly from June, when 26% of attacks connected to actual vulnerabilities.
• The most common attack types were SQL Injections, Path Traversals, and Command Injection attacks. 
• The volume of attacks targeting open source components remained steady compared to last month, with CVE-2013-2251 and CVE-2017-5638 as the most common attacks.

SUMMARY

• Custom Code Attacks: We saw the continued dominance of SQL-Injection attacks last month. SQL-Injections represented 68% of all attack vectors, targeting 77% of applications. Overall volume of SQL-Injection attacks was up since June when they represented 58% of all attacks, targeting 82% of applications.
• Open Source (CVE) Attacks: Attacks on CVEs, particularly Struts, continued at similar levels last month. The most common CVE attack in July and June was CVE-2017-5638 (Struts 2 Input Validation).
• Attack Vectors By Language: SQL Injection attacks were the most common for Java applications in July. .NET applications experienced the highest volume of Command Injection attacks and Node experienced the highest volume of Path Transversal attacks.
• Geo Location: Attacks originated from across the globe in July, with the most attacks originating from North America, specifically the United States. Netherlands remained the second most common origin country for the second month in a row.

CUSTOM CODE ATTACKS

The three most common attack types in July:

• SQL Injection
• Carefully crafted inputs that can alter the SQL queries the application uses, and steal data or execute code.
• Represented 68% of all attacks in July, up from 58% of attacks in June.
• Targeted 77% of applications.
• Path Traversal
• A vulnerability that allows users to control which files are opened and read by an application.
• Represented 13% of all attacks in July, down from 28% of attacks in June.
• Targeted 46% of applications.
• Command Injection
• Carefully crafted inputs can execute tainted commands.
• Represented 11% of attacks in July, up from 4% in June.
• Targeted 21% of applications.

In July, 96% of applications were targeted by one of these three types during the month.

TOP CVE ATTACKS

Exploiting vulnerable versions of Struts 2 continues to dominate attacks on CVEs.

CVE-2017-5638 (Struts 2 Input Validation) attacks remained the most prevalent attack on a CVE. However, its reign may be over. For the past 3 months, attacks on CVE-2017-5683 have represented an increasingly smaller portion of total attacks. We observed just over 50% of the attack volume in July that we had seen in June.

The next most common CVE targeted in July attacks was CVE-2013-2251. July marked the 6th anniversary of its first publish date and almost a year since an automatic exploit for the vulnerability was announced! 

Attacks on CVE-2016-4438 (Struts 2 Input Validation), the second most common CVE targeted in June, dropped considerably in July.

TOP ATTACK VECTORS BY LANGUAGE

ATTACKS BY GEOLOCATION

July saw attacks from 6 continents and 109 countries. 

The largest increase in volume May to June came from the Netherlands, where we observed a 2x increase in attacks. This higher volume remained relatively stable in July.

The map below illustrates the number of attacks originating from each country with the most saturated color representing the most attacks and the least saturated representing the least attacks. We observed no attacks from the countries filled in gray.