SHARED INTEL: Akamai reports web attack traffic spiked 62 percent in 2020 — all sectors hit hard

By Byron V. Acohido

Some instructive fresh intelligence about how cyber attacks continue to saturate the Internet comes to us from Akamai Technologies.

Related: DHS launches 60-day cybersecurity sprints

Akamai, which happens to be the Hawaiian word for “smart,” recently released its annual State of the Internet security report. As a leading global content delivery network (CDN), Akamai has a birdseye view of what is coursing through cyber space moment-by-moment. In 2020, it saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations — an increase of more than 45 percent year-over-year in that sector.

Meanwhile, threat actors’ siege on web applications surged 62 percent in 2020 vs.  2019: Akamai observed nearly 6.3 billion web app attacks last year, with more than 736 million targeting financial services.

The majority were SQL Injection (SQLi) attacks, which made up 68 percent of all web app attacks in 2020; Local File Inclusion (LFI) attacks came in second at 22 percent. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52 percent, with SQLi at 33 percent and Cross-Site Scripting at 9 percent.

I had the chance to visit with the estimable Steve Ragan, the Akamai analyst who put together this report. I’ve known Ragan for a long time and greatly respect his work. He’s excellent at putting himself in the shoes of the threat actors. Here are excerpts of our discussion, edited for clarity and length.

Q: The scale of ‘attacks’ in 2020 is astronomical: 6.3 billion web attacks globally; 736 million in the financial services sector. Can you break this down, and put it into a useful context? For instance, what constitutes a single web attack?

A: You’re right. It is astronomical. For Akamai, a single alert is an attack, and a group of attacks could be called a campaign. In 2020, we observed a healthy mix of both attacks and campaigns, but mostly campaigns. Every single day there was something going on, from SQL Injection attacks, to credential stuffing attacks, DDoS attacks, you name it. It makes sense too, if you think about it. The world is ‘always-on’ and so are the attackers. They come from all over, and target everything. Thanks to automation, attackers can sometimes target everything, all at once.

Q: Can you give me a feel for the major categories of attacks?

A: The major attacks come from two groups. There are web application attacks, which include SQL Injection, Local File Inclusion, Cross-Site Scripting, and Remote File Inclusion. From there, you have identity-based attacks, or attacks that target authentication systems, which is where credential stuffing comes in. Sometimes, there is overlap, such as when credential stuffing attacks target APIs and thus blend in with web application attacks.

Q: What are some of the sectors, besides financial services, that were heavily attacked?

A: Everything. Nothing is excluded. Criminals target finance, gaming, media and entertainment, publications, hospitality and travel, the medical sector, etc. While some are favored, because of access and scope (finance, media and entertainment, gaming), criminals aren’t too picky. Data is highly valuable in all variations, and as long as someone is willing to buy it or trade something useful for it, criminals are willing to compromise it.

During the pandemic lockdowns, for example, streaming media was really popular, because the accounts can be sold or traded. The same can be said for gaming. Why, you might ask? Because it’s entertainment, and people were stuck at home. Criminals watch TV too, and while you and I know that piracy is a problem, criminals don’t give it a second thought.

Ragan

Financial services is, and always will be, a top target for criminals. To steal a phrase, that’s where the money is. Moreover, that’s where a massive amount of personal information is too, so financial accounts often trade at higher volumes, and sell for larger sums. A full financial profile on a victim, including name, address, DOB, SSN, email addresses, phone numbers, credit report, and financial accounts (stolen card data, banking data, etc.) can sell for hundreds of dollars per record.

Q: Can you give a high-level explanation of why the numbers are so high; is it somehow fundamentally due to the use of automation on the attackers’ side as well on the defenders’ side?

A: Yep! Automation is what is driving the large numbers. Gone are the days when criminals had to try a one attack variant at a time, or one username/password combination at a time. Now, thanks to automation, they can do dozens, hundreds, sometimes thousands of attacks per second. This automation also drives the growth in criminal development, as the technical barriers to entry are really low, if they exist at all.

These days, a criminal doesn’t need to understand SQL to conduct SQL Injection attacks. All they have to do is enter a URL and click a button, the tool does all the work for them. Given the low bar, more and more people with an interest in that sort of crime are starting to dip their toe in the water. Criminals even offer training to those who are new. This training can be pirated security training videos or books, or actual classes. Some offers include manuals written by criminals themselves, or classes that are led by a verified and vouched for criminal, who does the type of crime they’re teaching.

Q: What are the primary drivers of credential stuffing increasing 45 percent year over year?

A: One of the main drivers is the constant flow of new username and password combinations that are sourced back to data breaches and phishing campaigns. The other driver is older data breaches that are sorted and dropped into scanners. Those credential combinations are tested and used against every service or website you can imagine. When you can purchase a targeted combination list of a million usernames and passwords for as little as $5 (or free in some places), the volume is – as you mentioned before – astronomical.

In 2020, criminals took all of their old username/password lists and started cycling through them, and then augmented those lists with newly compromised records, and kept the attacks going. One of the most public examples of older recycled passwords being used to attack new services is Zoom. I wrote about this last May. Zoom got real popular, and as that popularity grew, criminals took notice and started to target it. The criminal market was soon flooded with targeted Zoom lists, and once that happened, the interest started to fall off. By August, Zoom accounts were mostly just given away freely.

Remember, these attacks are mostly automated, enabling larger volumes, which factors into the growth rate.

Q: Why, fundamentally, are SQL injection attacks persisting?

A: I wish I knew. SQL Injection was discovered in 1998. It’s 23 years old. In the United States, it’s old enough to rent a car, drink in a bar, and it is almost old enough to qualify for some car insurance discounts. It’s crazy. But rant aside, you asked why they persist.

Think about how SQL Injection attacks happen, what makes them possible. At the core, there is bad user input sanitization, or trusting that the information entered to generate a query is legitimate or safe.

Code complexity is a thing. The more code that goes into an application, the harder it is to detect and remove SQL Injection issues.

Legacy code is also a factor, as something that was relevant and secure ten years ago, isn’t necessarily safe today, once new code is added to the source or technology changes. Speaking of legacy software, old and unpatched code can also introduce additional problems, extending far beyond SQL Injection, but that is another story, for another day.

Using third-party code that was already vulnerable in an application, and never updating this additional code once it is patched, is another source of SQL Injection attacks. It’s a common story, developers use open source code in their projects. This code is vulnerable, and the maintainer of the open source project later updates it, but the developers never checked for these updates so they can apply them to their project, and thus their code remains vulnerable indefinitely.

Q: This data highlights how attacks are unrelenting and steadily intensifying; can you generally characterize the success rate? In other words, how well are the defenders keeping pace?

A: Defenders are keeping pace fairly well. Yet, it’s important to remember that successful credential stuffing attacks appear in the logs as a successful user interaction, so they’re not easy to spot. Successful SQL Injection attacks could look like legitimate transactions on the server, depending on how things are configured.

Overall though, considering that criminals have to constantly update their tools and methods, it’s clear that defenders are doing something right.

Q: What is the path forward; what are one or two of the most encouraging trends you heard discussed at RSA Conference 2021?

A: I didn’t take part in RSA this year. However, I did hear that there were some interesting things happening in the sandbox, with regard to application access and code risk mitigation.

Q: Anything else?

The path forward is a layered one. Organizations and defenders need to focus on their assets and define the scale and scope of the risk attached to them. The larger an organization is, the harder this task will be. Each application, each server, and each user will need to have a risk assessment, and exposure assessment, in order to determine the best way to protect them – all while making sure that security doesn’t hinder business development and growth.

Segmentation will play a large role in this, as well as defining privilege limits (go with the least amount of permissions possible for everything / everyone). Some will call this zero trust, but I just call it sensible. I’m a huge fan of segmentation on a network and role level, and a huge fan of multi-factor authentication, which are key elements to a robust security program.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone