Patch Tuesday is an important calendar item for Akamai customers, given how dominant Windows machines are in many companies. What follows is Microsoft's January 2014 Security Update.
Get In Touch
Recently in Web Security Category
I got a message this morning from an Akamai colleague who read yesterday's blog post on the HacKids security conference for children. He wanted me to know that he is doing something similar. Stefano Buttiglione, one of our senior solutions architects, says a school in his home town in Italy asked him to do a training course on the risks of social media to kids and their parents. It started as a one-day Danny Lewin Community Care event and blossomed from there.
As I've written before, we in Akamai InfoSec take our security training very seriously. We also know that our success as a security operation depends on the skills and talents of the future. So when I see great examples of training for younger generations, I'm compelled to mention it here. For this post, the subject is the HacKid Conference scheduled for April 19 and 20 at the San Jose Tech Museum of Innovation.
Yesterday, we told you about how attackers were exploiting the Skipfish Web application vulnerability scanner to target financial sites. Since then, Akamai's CSIRT team has discovered that another scanner, Vega, is being exploited in the same manner.
Skipfish and Vega are automated web application vulnerability scanners available by free download. Skipfish is available at Google's code website and Vega is available from Subgraph. These are scanners intended for security professionals to evaluate the security profile of their own web sites. Skipfish was built and is maintained by independent developers and not Google. In addition to the code being hosted on Google's downloads site, Google's information security engineering team is mentioned in the Skipfish project's acknowledgements. Vega is a Java application that runs on Linux, OS X and Windows. The most recent release of Skipfish was December 2012 and Vega was August 2013.
According to Wikipedia, WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL, which runs on a web hosting service. Features include a plug-in architecture and a template system. WordPress is used by more than 18.9% of the top 10 million websites as of August 2013. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.
Akamai's CSIRT team has discovered a series of attacks against the financial services industry. In this instance, the bad guys are exploiting the Skipfish Web application vulnerability scanner to probe company defenses.
Skipfish is available for free download at Google's code website. Security practitioners use it to scan their own sites for vulnerabilities. The tool was built and is maintained by independent developers and not Google, though Google's information security engineering team is mentioned in the project's acknowledgements.
In recent weeks, our CSIRT researchers have watched attackers using Skipfish for sinister purposes. CSIRT's Patrick Laverty explains it this way in an advisory available to customers through their services contacts:
Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn't validate which URL is allowed to load. If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker. For more information on RFI, please see the Web Application Security Consortium and OWASP websites.
Akamai has seen Skipfish probes primarily targeting the financial industry. Requests appear to be coming from multiple, seemingly unrelated IP addresses. All of these IP addresses appear to be open proxies, used to mask the attacker's true IP address.
Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site's pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site.
If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish.
While the default user-agent for Skipfish version 2.10b is "Mozilla/5.0 SF/2.10b", we cannot depend on that value being set. It is easily editable to any value the Skipfish operator chooses.
Companies can see if they're vulnerable by using Kona Site Defender's Security Monitor to sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL.
"We have seen three behaviors by Skipfish that can trigger WAF rule alerts," Laverty wrote. "The documentation for Skipfish claims it can submit up to 2,000 requests per second to a site."
Laverty said companies can blunt the threat by adjusting Summary and Burst rate control settings to detect this level of traffic and deny further requests. Also, a WAF rule can be created that would be triggered if the request were to contain the string "google.com/humans.txt".
There is no situation (other than on google.com) where this would be a valid request for a site, he said.
- We have a lot of information to share about attacks against Akamai customers and how the security team continues to successfully defend against them.
- We have to stay on top of all the latest threats and attack techniques so we can continue to be successful. Conferences are an important place to do that.
In this article we will show how the analysis of large-scale, global multi-site traffic may reveal interesting trends and malicious behavior patterns, and as a result can help improve protections against the next round of attacks.
Prior to initiating such distributed massive scale attacks, attackers try to compile a long list of vulnerable targets. In most cases they will target exploits in commonly used web application platform such as Joomla, WordPress or Drupal.
In a recent research that was conducted by Akamai's threat research team, using Akamai's security big data platform (Cloud Security Intelligence), the team came across a malicious campaign which focused on web applications with outdated modules of Joomla - one of the most commonly deployed content management systems. In this specific campaign, the attackers were trying to inject backdoors to the vulnerable web applications.
Deeper analysis into the attack campaign's traffic revealed that the attackers were trying to exploit Joomla's content editor, which allowed web users to upload files. This capability made Joomla susceptible to malicious file upload, and in turn to remote code execution. What the deep "single-event" analysis of the exploit did not reveal was the sheer volume and distribution of the attack. When the threat research team decided to zoom out and started looking for similar attack patterns across Akamai's customer base - they uncovered an entire botnet, exclusively "working" on attacks of this kind, slowly mining the internet for more and more vulnerable applications. Here are some of the key findings, after analyzing one month of security events, using Akamai's security big data platform:
Increase in Malicious Transactions Over Time
Looking at 43,000 malicious HTTP transactions over the time period of one month, we saw a constant increase in the amount of malicious traffic:
Botnet Distribution by Country
Looking at distribution by country of botnet machines - United States based bots were the most prominent:
Botnet Distribution by Continent
Looking at the distribution by continent of botnet machines - Europe was the top continent from which bots were used:
Increase in Number of Targets Per Day
Over the time period of one month 2,008 different web application were targeted. When looking at the chart, there is a clear trend of increase in the amount of web applications being targeted each day:
Analysis of Bot Machines
Further analysis of the botnet machines running web servers, showed that the prevalent server software was Apache.
Further Evidence on the Attacker's Identity
The following image shows a backdoor on one of the compromised web servers giving attackers full control over the machine:
- When looking at the behavior of web attack botnets over time we can see a clear trend of increase in the number of attacked application per day and HTTP transactions per day. These botnets are not static in size, and tend to grow over time, as hackers add more and more machines to the malicious network
- Most of the bot machines in this attack came from the US and Europe - making geographic-based protections ineffective While geographic-based protections are futile, the fact that the majority of malicious bots were Internet facing web servers means that their IP address is static. This in turn, makes it easier to block them specifically
- The ability to identify globally distributed malicious botnets based on behavioral analysis of multi-site security data can become a game changer in the battle for web application security
- Correlating cross-domain attack information can help in the prediction of the next targets and therefore reduce risk to other applications that are still not under attack
- Akamai's threat research team sees an increase in botnet-based attacks, which makes use of application-layer vulnerabilities as their primary weapon (as opposed to DDoS botnets)
This post was written by Or Katz, Principal Security Researcher & Ory Segal, Principal Product Architect
- Mobile malware is gonna be a big deal.
- Social networking will continue to be riddled with security holes and phishing attacks.
- Microsoft will release a lot of security patches.
- Data security breaches will continue to get more expensive
Examples of predictions that never had a hope of becoming true:
- Pen Testing will die
- IDS/IPS will die
- In February, we will officially launch the first-ever Akamai.com security section, and it'll be packed with everything you need to understand the threats your organization faces and how Akamai keeps its own security shop in order.
- Several of us from Akamai InfoSec will travel the globe, visiting customers and speaking at many a security conference. Those who attend will walk away enlightened and inspired.
- Akamai will continue to protect customers from DDoS and other attacks.
- You will see many new security videos and hear many new podcasts from us.
- If you visit the soon-to-be-launched Akamai security section, you will walk away with a better understanding of our compliance efforts than ever before.