Skip to content

CONTRAST LABS: November AppSec Threat Intelligence Report

By Contrast Marketing

December 27, 2017

Thought Leaders

    

Contrast Labs analysis of real world attack data from November.

Observations

  • Overall attack traffic was down in November from our highs in August. Once again this month, virtually every application/API was attacked, and some were continuously targeted across the month.  We recorded hundreds of attackers from over 250 cities around the world.
  • Only a fraction of these attacks actually connected with their corresponding vulnerability. Unlike a WAF, NG-WAF, or filter-based RASP, Contrast’s instrumentation-based RASP implementation differentiates between probes that don't reach their targeted vulnerability, dangerous attacks that do reach their target, and successful expoits of those vulnerabilities.

  • Path traversal has eclipsed XSS and SQLi as the leading attack vector this month, and XSS fell to third place after leading for months.  Finally, the large spike in Padding Oracle attacks that we observed in October has returned to normal low levels.

  • This month revealed the emergence of attacks on CVE-2016-3081, to add to all the other Struts2 OGNL Injection problems. Clearly attackers are swarming on Struts2, but don't forget that all CVEs are likely to be attacked using automated tools. Attacks on novel CVEs typically start within a day, so you should have an up-to-date database of every version of every library in your portfolio, and establish infrastructure to respond within a day.

  • Interestingly, this month we saw another significant increase in non-Struts2 OGNL injection attacks, which started showing up in October.  Although the current attack levels are not high, it's worth ensuring that you aren't susceptible before it gets bad.

Top Attack Vectors

 Table 1. Top Attack Vectors for November 2017

    ATTACK TYPE

% OF TOTAL

  path-traversal

34.38% 

  sql-injection

30.90% 

  reflected-xss

24.62% 

  cmd-injection

6.15% 

  cve-2017-9791 (Struts2 OGNL Injection)

1.44% 

  cve-2013-2251 (Struts2 OGNL Injection)

1.20% 

  cve-2017-5638 (Struts2 OGNL Injection)

0.78% 

  cve-2016-4438 (Struts2 OGNL Injection)

0.37% 

  ognl-injection

0.10% 

  cve-2016-3081 (Struts2 OGNL Injection)

0.06% 

  padding-oracle

0.00% 

  JBoss Remote Exploit

0.00% 

 

Attack Geolocation

Not much change in the countries doing the attacking.  The United States, Poland, Netherlands, and France were responsible for the majority of attacks. As always, we caution that attackers may be using hosts in the United States to launch their attacks.

Table 2. Top Attack Volume by Country for November 2017  

COUNTRY

  % OF TOTAL

  United States 48.36% 
  Poland 9.52% 
  Netherlands 2.84% 
  France 2.17% 
  Pakistan 1.24% 
  Croatia 1.20% 
  Canada 0.26% 
  India 0.07% 
  China 0.01% 
  Hong Kong 0.01% 
  Germany 0.00% 
  Romania 0.00% 

 

Table 3. Top Attack Volume by City for November 2017 

     CITY

    COUNTRY

    % OF TOTAL

  Chesterfield

US

18.87%

  Ashburn

US

13.21%

  San Jose

US

7.86%

  Columbus

US

3.62%

  Parkville

US

2.75%

  Karachi

Pakistan

1.26%

  Pula

Croatia

1.23%

  Kansas City

US

0.31%

  New York

US

0.30%

  Evansville

US

 0.08%


  

devops-security

Contrast Marketing

Contrast Marketing