Sergey Nivens - stock.adobe.com

Web app ubiquity gives cyber criminals new opportunities

The popularity and ubiquity of web-based apps such as Office 365 and Salesforce is a temptation too good to miss for cyber criminals

The near-ubiquity of web applications in organisations is giving cyber criminals and threat actors new and “enticing pathways” to access valuable enterprise data, according to SonicWall, which claims to have recorded a 52% spike in such attacks this year.

It’s well-known by now that cyber attacks utilising malware and ransomware are in fact declining in volume as more organised criminal gangs abandon traditional spray-and-pray approaches, and use strains such as Sodinokibi to target and steal from specific enterprises – as was the case with Travelex.

But cyber criminals are also now finding that common web applications, such as Dropbox, G Suite, Office 365 and Salesforce, that deliver cloud-first interfaces or offer web versions to complement on-premise software, present an attractive and easy way to access victim networks and systems due to their convenience and popularity.

SonicWall said is was increasing in pace and sophistication, particularly in the final seven months of 2019.

But the overall volume of web attacks is still a tiny fraction of the overall volume of malware and ransomware attacks – SonicWall detected 40 million in 2019, versus 9.9 billion malware attacks (down 6% year-on-year) and 187.8 million ransomware attacks (down 9%) – although they are just as, if not more, damaging, with notable targeted attacks in 2019 taking down many vital government services, among other things.

“Cyber criminals are honing their ability to design, author and deploy stealth-like attacks with increasing precision, while growing their capabilities to evade detection by sandbox technology,” said SonicWall president and CEO Bill Conner.

“Now more than ever, it’s imperative that organisations detect and respond quickly, or run the risk of having to negotiate what’s being held at ransom from criminals so embolden they’re now negotiating the terms.”

Read more about web app security

  • Signal Sciences co-founder and CEO Andrew Peterson explains why web application security often gets shortchanged and what his next-gen WAF company is doing to change that.
  • API and web application vulnerabilities may share some common traits, but it's where they differ that hackers will target
  • For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organisation’s systems and data.

SonicWall’s report was compiled from information collected by a million-strong network of sensors in 215 countries. Its Capture Labs threat researchers analysed over 140,000 daily malware samples and blocked over 20 million daily malware attacks.

SonicWall observed several other headline trends dominating cyber criminal activity in 2019, including growth in malware delivered through the Internet of Things (IoT), up 5% to 34.3 million attacks; and a 78% decline in cryptojacking – observed by many other threat intelligence researchers – which is known to relate heavily to the closure of Coinhive in March 2019.

Elsewhere, fileless malware targeting Microsoft Office, Office 365 and PDF documents was seen evolving as cyber criminals came up with new code obfuscation, sandbox detection and bypass techniques, giving rise to many more variants and developing more sophisticated exploit kits to use them. Most new malware threats emerging right now seem to mask their exploits in trusted files, said SonicWall.

The desire to avoid being seen was behind growth in encrypted threats in 2019, helping cyber criminals evade traditional security controls, such as firewalls that cannot adequately detect, inspect and mitigate attacks via HTTPS traffic.

It also saw further evolution and weaponisation of side-channel attacks, where attackers reverse-engineer a target device’s cryptography system, and attacks using non-standard ports, which are used to deliver malicious payloads undetected.

Read more on Web application security