Government remained among the most targeted industries for web application attacks during the second quarter of 2017, according to recent data released by cybersecurity company Positive Technology.

The report details the most common types of web application attacks by industry sector, as well as the objectives, intensity and time distribution of web application attacks. The report compares Q2 2017 data to data from previous quarters to draw out trends.

Key Findings

At 1,184 average attacks per day, government followed only the IT sector (1,346) as the most targeted industry for web application attacks in Q2 2017.

Across all industries, cross-site scripting (XSS) attacks occurred most frequently, comprising 39.1 percent of all attacks. Researchers noted that XSS attacks were “consistently high” throughout Q2, with 100 to 250 recorded every day.

SQL injection (24.9 percent) was the second most frequent attack. Information leakage (4.6 percent) and XML injection (4.2 percent) remained prevalent across sectors. Researchers noted, “In Q2, attackers showed more interest in attacks on application users. Most attacks were intended to access sensitive information.”

Within the government sector specifically, data reflect broader trends. The top attacks included XSS (49 percent), SQL injection (20 percent), information leakage (18 percent) and denial of service (6 percent). Researchers noted that these types of attacks align with threat actors’ motives for targeting the government sector:

As in the first quarter, a large portion of attacks on government entities [was] aimed directly at gaining access to data. Personal data is the most critical resource possessed by government entities, due to which attacks tend to focus on either databases or application users directly. Although government websites are regarded by users as highly trustworthy, the users of these sites — more than in other sectors — are unlikely to know the basics of how to stay safe online. This fact makes government sites tempting targets for Cross-Site Scripting attacks, which can infect a user’s computer with malware. Another common type of attack in Q2 is Information Leak, which exploits various web application vulnerabilities in order to obtain additional data about users, the system itself, and other sensitive information.

Within the critical infrastructure sectors of energy and manufacturing, the data diverged slightly from cross-industry averages. SQL injection (48.1 percent), operating system commanding (36.4 percent), server-side template injection (7.8 percent) and path traversal (5.4 percent) were most common. The different methods can be explained by attackers’ motives:

By contrast, in the case of energy and manufacturing companies, attackers’ objective is to obtain full control over company infrastructure. Therefore the most common attacks attempt to run arbitrary OS commands and gain control over the server or obtain information about the system; attacks on users are few and far between. By launching attacks against the target company’s internal network, an attacker can gain access to critical system components and interfere with operations.

Analysis of Findings

Perhaps the most interesting finding in the report is an exploit employed against a common vulnerability in two different industries for different purposes.

Within the energy sector, researchers detected a remote command execution for OS commanding. Threat actors exploited an Apache Struts vulnerability (CVE-2017-5638) in the attack. If that vulnerability doesn’t ring a bell, it should. It’s the same vulnerability threat actors used in the Equifax breach.

The Struts patch for this previous zero-day vulnerability was released in early March 2017. Analysts began detecting the first attempts to exploit the vulnerability about a month later, on April 3. Researchers noted:

As these cases indicate, it may take only a few days for attackers to “weaponize” a newly published vulnerability. (More time may be required for exploiting more complex vulnerabilities.) Attackers primarily try to exploit vulnerabilities that have been discovered recently, because targets are less likely to have installed the corresponding updates.

Threat actors continued a broader trend of linking distinct tactics, techniques and procedures across the cyber kill chain to systematically test defenses. This was most prevalent in the energy sector via SQL injection attacks. The researchers noted that, while threat actors became slightly less active compared to Q1, there were some notable attacks. One involved 35,135 SQL injection attempts from the same Internet Protocol address.

Researchers explained, “When looking for vulnerabilities caused by insufficient filtering of SQL query input, attackers tend to search intensively. The most powerful web application attack in Q2 was a search for SQL Injection vulnerabilities by brute-forcing all possible parameters, with a total of over 35,000 requests sent by the attacker.”

The SQL injection attacks also point to the increasing automation of attacks, which aligns with the findings of the SANS Institute’s 2017 data protection survey. The SANS authors noted the current asymmetric threat environment, in which threat actors are automating attacks while defenders remain burdened by manual processes.

The complete report is available online.