June 2019 AppSec Intelligence Report: Attack Edition

What is this report: This report summarizes Contrast Labs' analysis of real world application attack data from June 2019. It utilizes data from attacks that Contrast observed over the previous months and highlights the key trends found. 

Who should read this: Developers, product owners and security engineers can use the information to better understand application security threats, adjust their security controls accordingly, and improve their security posture. 

Frequency: Through reading this report on a monthly cadence, AppSec teams can gain a better understanding of the possible types and origins of attacks and attackers that you might see.

To learn more about how Contrast directly measures both vulnerabilities and attacks in parallel across your application portfolio, please visit our website.

KEY OBSERVATIONS

• In June, Contrast saw over a 53% increase in attacks compared to May. 
• 26% of these attacks managed to reach actual vulnerabilities within applications. The other 74% were probes and did not reach a corresponding vulnerability in the code.
• Less than 1% of attacks observed were on open source components, of which Struts 2 exploits were the most prevalent. The remaining attacks were on custom code and were mostly SQL Injections, Path Traversals, and Cross-Site Scripting (XSS) attacks. 

SUMMARY

• Custom Code Attacks: We saw the continued dominance of SQL-Injection attacks. Last month, SQL-Injections made up 58% of all attacks, targeting 82% of applications. In May, SQL-Injections made up 21% of attacks, targeting 82% of applications. 
• Open Source (CVE) Attacks: Attacks on CVEs, particularly Struts, continued at similar levels last month. The most common CVE attack in June was CVE-2017-5638 (Struts 2 Input Validation).
• Attack Vectors By Language: SQL Injection attacks were the most common for Java applications in June. .NET applications experienced the highest volume of Cross-Site Scripting attacks and Node experiences the highest volume of Path Transversal attacks.
• Geo Location: Attacks originated across the globe in June, with the most attacks originating from North America, specifically the United States. 
• Attack Duration & Methods: June brought longer attacks compared to May. The longest grouping of attack events coming from a single IP address over a sustained period of time averaged over 10 minutes. The longest attack lasted over 3 hours!

CUSTOM CODE ATTACKS

The three most common attack types in June:

• SQL Injection
• Carefully crafted inputs that can alter the SQL queries the application uses, and steal data or execute code.
• Constituted 58% of all attacks.
• Targeted 82% of applications.
• Path Traversal
• A vulnerability that allows users to control which files are opened and read by an application.
• Constituted 28% of all attacks in June.
• Targeted 43% of applications.
• Cross-Site Scripting (XSS)
• A web application vulnerability that allows users to run arbitrary JavaScript in other user's browsers.
• Constituted 9% of all attacks in June.
• Targeted 32% of applications.

In June, 95% of applications were targeted by one of these three types during the month.

TOP CVE ATTACKS

Exploiting vulnerable versions of Struts 2 continued to be low hanging fruit in June.

CVE-2017-5638 (Struts 2 Input Validation) attacks remained the most prevalent attack on a CVE after two years since being disclosed and the massive attention they received.

After CVE-2017-5638, CVE-2016-4438 (Struts 2 Input Validation) followed as the next most common CVE in June.

CVE-2017-9791 (Struts 2 Input Validation) notably dropped from the top of the list. This Struts 2 CVE made up 47% of CVEs we saw in May, however these attacks fell to almost nonexistent last month.

TOP ATTACK VECTORS BY LANGUAGE

ATTACKS BY GEOLOCATION

June saw attacks from 6 continents and 112 countries. While attacks came from all over the world, the overwhelming majority originated in the United States. 

The largest increase in volume came from the Netherlands, where we observed a 2x increase in attacks from May to June.

The map below illustrates the number of attacks originating from each country with the most saturated color representing the most attacks and the least saturated representing the least attacks. We observed no attacks from the countries filled in gray.

ATTACK DURATION & METHODS

The longest attack in June lasted 3 hours, 2 minutes and 12 seconds. It consisted of 21 separate Reflected XSS attacks.

The average length of attack in June was 10 minutes and 13 seconds, up from just under 2 minutes in May.

The vast majority of these attacks were comprised of only one attack vector.