New Barracuda threat report reveals web apps exploitation methods
Cloud-first security solutions provider Barracuda Networks has released a new Threat Spotlight report that throws light on the different methods attackers are using to exploit web application vulnerabilities and misconfigurations to steal valuable data.
In 2023 alone, Barracuda mitigated over 18 billion attacks on applications, including an alarming 1.716 billion attacks in December. The report focused on incidents involving web applications detected and prevented by the Barracuda Application Security throughout the month. It honed in on attacks identified by the Open Worldwide Application Security Project (OWASP).
Web applications are computer programs accessed through web browsers, encompassing productivity tools like Microsoft 365 or Google Docs / Gmail. According to the data from Verizon's Data Breach Investigation Report (DBIR), they were implicated in 80% of the reported security incidents and 60% of breaches in 2023, indicating they are a prime target for cyberattacks.
According to the recent Barracuda Threat Spotlight, the majority of attacks on web applications are directed at security misconfigurations like coding and implementation errors, accounting for 30% of all attacks. A further 21% of attacks document the use of a method called 'code injection,' where an attacker injects a code that an application executes. This includes not only SQL injections, which aim to steal, destroy, or alter data but also Log4Shell and LDAP injections, often deployed in privilege management, such as supporting Single Sign-On (SSO) for applications.
The Threat Spotlight report also highlighted that bot attacks on web applications were widely used throughout 2023, with a majority of these (53%) being utilised for volumetric Distributed Denial of Service (DDoS) attacks. These attacks deploy IoT devices and are based on brute force techniques that inundate the target with data packets to consume bandwidth and resources. They can also be utilised as a smokescreen for a more insidious and targeted attack on the network.
Principal Product Manager for Application Security at Barracuda, Tushar Richabadas, commented, "Web applications and APIs are lucrative attack vectors for cybercriminals - and they are coming under increasing attack." He emphasised how difficult it is for defenders to keep up with the ever-increasing number of vulnerabilities. Teams have to contend with both new and old vulnerabilities across crucial applications, some of which also have vulnerabilities in their software supply chain, highlighted by the Log4Shell vulnerability.
Richabadas warned, "It must be remembered that attackers will often target old vulnerabilities that security teams have overlooked to try to breach an unpatched application and then spread into the network."