Hackers Target Company Applications Thousands of Times a Day

Positive Technologies intelligence identifies the most common attacks against web applications including what hackers hope their attack will achieve

The web applications of businesses are being attacked by hackers multiple times a day, new data from Positive Technologies shows. In Q2 2017 one company was targeted more than 35,000 times in just one day and, across the board, the average number of attacks against the web applications of a single organisation ranged from 300 to 800 per day, and never fell below 140.

The report also reveals that hackers are most likely to target businesses during the day. Thirty-one per cent of all web application attacks took place during the day, with 2pm appearing as the most dangerous time, while just 20 per cent took place in the middle of the night, suggesting hackers are targeting businesses while people tend to be online at work.

The data was collected by Positive Technologies, from installations of PT Application Firewall during April, May and June 2017, to provide an up-to-date picture of the most prevalent attacks being targeted at web applications. The attacks were then manually verified to rule out false positives. The data was then analysed to calculate an average ‘24 hour’ period.

The second quarter of 2017 saw a stable but persistent level of attack activity. More than one-third (39.1%) of attacks involved Cross-Site Scripting (XSS), while almost a quarter (24.9%) used SQL injections suggesting the aim for a significant portion of attacks is to access or steal sensitive information. In addition, the report shows that hackers are actively exploiting recently identified vulnerabilities. The minimum time lag between publication of a new vulnerability and the moment of a related attack can be as little as three days. As such, using out-of-date software has a significant impact on the ability of hackers to launch an attack as information about vulnerabilities is readily available, as are ready-to-use exploits.

"Once software vulnerabilities have been detected, it takes some time to install patches and updates, and it takes even longer to introduce changes to the application code, especially if it was developed by a third party. At this moment, applications remain vulnerable while attackers are prepared to strike shortly," says Ekaterina Kilyusheva, an analyst from Positive technologies. "For this reason, to ensure efficient application security, it is essential not only to update software in time but also to use preventive mechanisms, such as a firewall, to detect and prevent attacks against web resources."

To detect and deflect web application attacks, an application-level firewall is recommended, capable of identifying and preventing even multi-staged targeted attacks. The firewall should support a number of protection techniques: such as blocking a request to, or a response from, a web application; masking a response to prevent leaks; blocking a user session or disconnecting, blocking the IP address of an attacker using built-in tools, transmitting an IP address to an external firewall or provider.

Protection tools must interact with external systems that collect and analyze events (SIEM), and send alerts to network-level DDoS protection tools. Additionally, when implementing a security system, it is necessary to take into account the intervals when malicious activity peaks, and pay special attention to network anomalies detected during this time.

The full version of the report is available here.