Cyberlytic news

2017's Top Web Application Attacks and Predictions for 2018

2017 was a year in which the challenges in cyber security continued to evolve at pace with several very high-profile data breaches appearing in the media. Whilst ransomware attacks, such as WannaCry and Petya shocked and grabbed the headlines, research shows that it still only accounts for 27% of security breaches overall. Whereas, web application attacks accounted for over 70% of all cyberattacks.

This should come as no surprise as attacks to the web application layer have been rising year-on-year, with e-commerce, healthcare and financial services websites’ falling victim to hackers due to the valuable data they hold. 

Top 3 Web Application Attacks 2017

1. Equifax hack
The Equifax hack was widely reported as one of the worst data breaches of all time as it was eventually revealed that 145.5 million consumers were affected. It was detected in July 2017 when the company blocked suspicious activity on a customer-facing web portal.

What went wrong?
Hackers exploited a website vulnerability to gather access to files containing personal information. Flaws in Apache Struts, open-source server software led to the breach. The information that was stolen included social security numbers, birth dates, addresses and full names. This data is all highly valuable for criminals looking to steal identities for fraudulent purposes, such as taking out loans or insurance. Equifax had been alerted to the Apache Struts vulnerability more than two months before the breach began and failed to act on the information by applying the available patch.

2. Uber
57 million users and drivers were affected in the Uber breach which was kept secret for more than a year. Uber's private GitHub repository was compromised initially, with GitHub response being that it was not a failure of their security. Uber then paid off the hackers with $100,000 to get the data back, failing to inform customers and drivers. 

What next?
Uber has since confessed that it didn't use multi-factor authentication on GitHub and will no longer be using the online repository for anything other than open source work. Uber is currently going through a federal investigation for failure to notify individuals of the breach to their data, which is the law in many US states. 

3. CeX
A lesser known consumer brand, CeX, a games and electronics store reported in August 2017 that their customers' were victim to a data breach. It is estimated that 2 million people could have been affected and some personal information was taken. They also admitted that some financial information may have been stolen but that would likely only be expired credit/debit cards, as they stopped storing this data back in 2009. What's interesting about this one is that CeX were praised for their response as they provided visibility to what had happened quickly.

Looking at 2018

Threats to web applications will continue to grow and in particular, SQL injection and cross-site scripting will remain the most prominent. The first step to protect against these threats is to detect attacks in real-time, so that an appropriate response can be carried out.

Systems that rely on static, ‘regex’ rules will not provide adequate protection against the most sophisticated attacks. It is time to utilise machine learning so that new threats can be detected accurately and protected against in a timely fashion. Another key point is to ensure you have complete visibility over the threats to your web applications, so that you can easily manage the risk posed to your data.

Get in touch with us if you'd like to find out more about AI threat detection