Akamai Diversity
Home > Web Security

Recently in Web Security Category

WannaCry: What We Know

On Friday, May 12, news agencies around the world reported that a new ransomware threat was spreading rapidly. Akamai's  incident response teams and researchers worked quickly to understand this new threat and how to mitigate it. This blog post is a summary of what Akamai knows at this point.

Remember that this is still an evolving threat and this information may change.

Akamai will update this post as we collect new information.

DDoS Attacks against DNS Infrastructure in the News

DNS-based DDoS attacks have gained mindshare among Akamai customers lately, most recently with last year's Dyn attacks (written about on the Akamai Blog here and here) and this week's attack against Cedexis. DNS infrastructure is a ripe target for malicious actors hoping to disrupt a digital property's availability because it provides the initial resolution for an end user's browser client from hostname to IP address. At best, an attack against your DNS records can significantly delay an end user's connection. At worst, it can render your application inaccessible to the end user, either through a denial of service or through a DNS record hijack or forgery. DNS attacks have consistently been one of the top attack vectors for DDoS, according to Akamai's recent security data.

Low Risk Threat: DDoS Extortion Letters

Summary

Adversaries calling themselves the Lizard Squad have been sending businesses extortion letters, demanding payment in bitcoin to prevent a Distributed Denial of Service (DDoS) or other attack against their applications. These letters have been sent to businesses across the globe and across industries for several years, with little follow-through. These letters appear to come from multiple groups including Lizard Squad, the Armada Collective, and DD4BC, though in many case they are from copy-cat or imposter groups. A new wave of these letters seen by Akamai customers from "Lizard Squad" raise concerns that these threats may be legitimate.

Update: Vulnerability found in Apache Struts

Akamai has created two new WAF rules in response to new information about the Apache Struts2 vulnerability.  The first rule, the most recent version of KRS Rule 3000014, is a standard part of the Kona Ruleset and protects against the many common attacks leveraging  this vulnerability.  This rule is designed to allow organizations that have complex environments to continue operating without risk of the WAF rule interfering with their environments. However, this rule was intentionally designed to have as few false positives as possible, and may not capture future attacks against the Struts vulnerability. This rule will provide superior protection to rule 960010 for most customers.   

Managing risk is a key aspect of any business. This becomes more complicated when additional parties, such as vendors are brought into the mix. One of the strongest pieces of guidance on managing vendors that customers have brought to Akamai comes from the US Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, wherein the OCC recommended that financial institutions strengthen their preparedness around third-party risk management, particularly in the field of cybersecurity. Many other global regulations exist with similar requirements.

DDoS of Past, Present and Future

The pervasiveness of technology has meant automation of tasks, allowing better productivity, with more time to do more. However, the dark side of technology would be that enterprises and individuals alike are vulnerable to cybercrimes, compromise of identities, loss of data and subject to malicious attacks.

In our recent 'State of the Internet / Security Q4 2016 report', we reported that Akamai mitigated 3,826 distributed denial of service (DDoS) attack events on our Prolexic network, a 4% increase in attacks since Q4 2015.

The Akamai WAF - Now Protecting APIs

Kona Site Defender is our flagship Web Application Firewall and DDoS Mitigation solution at Akamai.  Back in the days of the Al-Qassam Cyber Fighters, Brobot ("It's not OK, bro"), and the "holy 100 Gbps attack!", we had a saying around Akamai:  "Kona Site Defender customers come for the DDoS, but they stay for the WAF".  The general idea was that it took a headline-grabbing DDoS attack to make customers and prospects aware that Akamai had a security offering. That was the end of 2012 and the beginning of 2013. In those days, analysts told us and our prospects that we had WAF customers *only* because we were good at mitigating DDoS attacks. We were only mildly offended, and we toiled on.  Our work seems to have paid off:  In 2017, cloud-based WAFs are more or less an industry standard, Kona is a perennial fixture in the Gartner WAF Magic Quadrant and analysts tell us that "Kona is on the short list of all Security buyers".

Vulnerability found in Apache Struts

On Monday, March 6th, the Apache team patched a vulnerability in Apache Struts2 framework.   Apache Struts is an open-source web application framework for developing Java web applications.  The vulnerability exists in the Jakarta Multipart parser, which can be tricked into executing attacker-provided OGNL code. The impacted versions are 2.3.5 through 2.3.31, and 2.5 through 2.5.10 of the Apache Struts framework.  If you are currently running an affected version of the software, malicious users could execute code on the system remotely by using a maliciously crafted Content-Type header.  Successful exploitation does not require the user to be authenticated. Apache has classified the vulnerability as a "possible remote code execution"; however, the vulnerability is easy to exploit and allows code to be executed using the user context of the account running the Tomcat server. At least two working exploits have been seen in the wild already.

On Web Cache Deception Attacks

Summary

On Monday, February 27, 2017, security researcher Omer Gil published a blog post laying out a data exfiltration method called a "Web Cache Deception Attack." The attack leverages web caching functionality to potentially expose sensitive information or allow for account takeover (ATO) attacks. Caching is often used to reduce load and time-to-delivery for a web server receiving requests for content, but this attack shows ways in which, given certain web configurations, the caching feature can be misused to serve content not intended for caching. Both the caching proxy and the origin site can have individually valid configurations, but in concert lead to unexpected behavior in light of this new attack method. This attack affects all forms of web caching and is not limited to proxies or Content Delivery Networks (CDNs). Akamai is actively working with customers to identify configurations which may be affected and assist them in protecting their sites against this attack.

On memory overflow and responses

On February 23, 2017, Cloudflare released information on a bug that was disclosed by Google security researcher, Tavis Ormandy, in their content delivery network. The bug potentially exposed sensitive customer data to the Internet. Approximately 1 in every 3,300,000 HTTP requests may have contained potentially sensitive information.  This information would normally be stored and cached by users and search engines as part of normal website sessions.  This bug is similar to Heartbleed, in that uninitialized memory was accidentally being sent along with regular data. Unlike Heartbleed, which required malicious requests, this bug was in Cloudflare's HTML parser code, which means that sensitive data could be sent as part of normal client requests.