Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/12/2020
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Website Attacks Become Quieter & More Persistent

Threat actors have pivoted from noisy attacks to intrusions where stealth and ROI are primary goals, new report says.

Threat actors are pivoting away from noisy website attacks to campaigns that are quieter and designed to remain undetected for as long as possible.

From website defacements and SEO spam, attackers are increasingly targeting websites to install backdoors and other stealthy malware, according to a new study by SiteLock.

The security vendor analyzed some 7 million websites worldwide and discovered that adversaries have sharply ramped up attacks on websites over the past year. The company found that typical websites experience about one attack every 15 minutes, or 94 attacks per day on average.  Each website was visited by as many as 2,608 automated bots per week on average. Attacks on websites jumped 52% over the previous year, according to SiteLock.

Sixty-five percent of websites that were infected with malware contained a backdoor, 48% contained filehacker malware, and 22% contained a malicious eval function for executing malware. Other common indicators of malicious activity on websites included the presence of shell scripts in 22% of sites and functions for injecting malicious code in 21% of the sites.

In contrast, SiteLock discovered evidence of noisier attacks, such as cryptomining software, on less than 1% of the sites it analyzed, SEO spam on 5% of them, and signs of defacement on 6% of the sites in the study.

"The main takeaway from our '2020 Annual Security Review' is hackers are becoming increasingly sophisticated and are turning to methods that can go undetected and deliver the biggest payout," says Neill Feather, chief innovation officer and co-founder at SiteLock. For organizations, the trend highlights the need for regular website updates, strong passwords, and multifactor authentication as well as the need to uninstall unused plug-ins, he says.

SiteLock found that sites using WordPress were three times more likely to have malware on them than all other sites. Eighteen percent of WordPress sites were found to contain at least one vulnerability; the most common among them are SQL injection flaws, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Plug-in Perils
The number of WordPress plug-ins that a site used had a direct impact on its security posture. Sites that used 6–10 plug-ins had a three times higher risk of getting compromised than sites that did not use a WordPress plug-in. Sites with 20 or more plug-ins were seven times more likely to get compromised.

"The more plug-ins or extensions a website has, the more potential entry points for hackers," Feather says. This is especially true when plug-ins are out of date and have new vulnerabilities discovered in them. "Each old plug-in on a website increases the chances of [it] being hacked," he says. "For every five plug-ins you add to your site, you nearly double the risk of getting compromised."

Extrapolating from the data from its survey, SiteLock estimated that about one out of 100 websites (12.8 million sites) worldwide is infected with at least one malware sample. SiteLock discovered that sites it deemed as being high risk were 24 times more likely to have malware than low-risk sites.

According to Feather, SiteLock classifies websites as being low, medium, or high risk based on three main factors. The first is website complexity, such as the size of the website and whether it uses a database to store customer data. The second factor is website popularity, which includes site traffic and social media presence. The third factor is site composition, such as the software used to create a website. "The best way for website owners to protect their sites is to regularly run a Web vulnerability scanner and ensure that security is kept up to date, ideally through automated patching," Feather says.

A newly released Risk Based Security report on data breaches during the first quarter of 2020 showed that Web-related breaches represented only a relatively small proportion of the overall number of data breaches in that period. Even so, Web breaches accounted for a substantially higher number of records compromised compared with hacking-related breaches and other intrusions.

Approximately 90% of the staggering 8.4 billion records that were exposed in the first quarter resulted from Web breaches. Records exposed included everything from email address and passwords to financial data, bank account data, health information, and Social Security numbers.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...