CONTRAST LABS: December AppSec Threat Intelligence Report
Contrast Labs' analysis of real world application attack data from December 2017.
Overview
- December was a huge month for application layer attacks, with large increases in every category of attack except Padding Oracle. Overall, we saw a 5x increase in attack traffic in December. These attacks included huge increases in SQL injection attacks, attacks on all Struts2 OGNL vulnerabilities (especially CVE-2016-3081 and CVE-2013-2251), and Path Traversal attacks.
- Two new types of attacks on custom vulnerabilities showed up this month. First, attackers attempted to bypass method based access control mechanisms with Method Tampering attacks. Second, non-Struts2 OGNL Injection attacks almost tripled from November levels.
- For attacks on custom vulnerabilities, SQLi dominates as the leading attack vector this month, up almost 20% over November and represents over half of all attack traffic. Path Traversal attacks more than tripled in December and XSS attacks were up slightly. Padding Oracle attacks that spiked in October have disappeared in December.
- On the known vulnerability side, we saw massive increases in attacks on Struts2 OGNL vulnerabilities, particularly CVE-2016-3081 and CVE-2013-2251. Both were up more than 30x from November levels. Clearly attackers are still focused on Struts2. All CVEs saw increases in attack traffic in December.
- We also saw attacks on a few new CVEs. CVE-2017-12616 is a Tomcat JSP source code reveal, and CVE-2014-0112 is an older Struts2 RCE. We believe the attacks on application libraries will continue to increase, and recommend the use of RASP technology to ensure visibility and protection.
- December saw application layer attacks from 29 countries, 329 cities, and 512 different IP addresses in December. While attacks came from around the world, they overwhelmingly originated in the United States.
Top Attack Vectors
Table 1. Top Attack Vectors for November 2017
|
ATTACK TYPE |
% OF TOTAL |
|
sql-injection |
50.42% ↑ |
|
path-traversal |
26.17% ↑ |
|
reflected-xss |
9.68% ↑ |
|
cve-2013-2251 (Struts2 OGNL Injection) |
7.39% ↑ |
|
command-injection |
3.86% ↑ |
|
cve-2016-3081 (Struts2 OGNL Injection) |
1.26% ↑ |
|
cve-2017-9791 (Struts2 OGNL Injection) |
0.62% ↑ |
|
cve-2017-5638 (Struts2 OGNL Injection) |
0.28% ↑ |
|
cve-2016-4438 (Struts2 OGNL Injection) |
0.13% ↑ |
|
method-tampering |
0.12% ↑ |
|
ognl-injection |
0.04% ↑ |
|
cve-2017-12616 (Tomcat JSP source code reveal) |
0.01% ↑ |
|
cve-2014-0112 (Struts2 RCE) |
0.00% ↑ |
| JBoss Remote Exploit | 0.00% ↑ |
| padding-oracle | 0.00% ↓ |
Attack Geolocation
Not much change in the countries doing the attacking. The United States, Poland, Netherlands, and France were responsible for the majority of attacks. As always, we caution that attackers may be using hosts in the United States to launch their attacks.
Table 2. Top Attack Volume by Country for November 2017
|
COUNTRY |
% OF TOTAL |
| United States | 57.49% ↑ |
| Poland | 2.42% ↓ |
| France | 0.93% ↑ |
| Netherlands | 0.78% ↓ |
| Croatia | 0.47% ↑ |
| Russia | 0.06% ↑ |
| Italy | 0.05% ↑ |
| Canada | 0.03% ↓ |
| China | 0.02% ↑ |
| Vietnam | 0.02% ↑ |
| India | 0.01% ↑ |
| Pakistan | 0.00% ↓ |
Table 3. Top Attack Volume by City for November 2017
|
CITY |
COUNTRY |
% OF TOTAL |
|
Ashburn |
US |
32.69% |
|
Chesterfield |
US |
10.05% |
|
Chatanooga |
US |
4.53% |
|
San Jose |
US |
3.14% |
|
Knoxville |
US |
2.85% |
|
Murfreesboro |
US |
0.51% |
|
Pula |
Croatia |
0.47% |
|
Usol'ye-Sibirskoye |
Russia |
0.06% |
|
Manassas |
US |
0.06% |
|
Arezzo |
Italy |
0.05% |
Contrast Labs
Contrast Labs is a team of accomplished cybersecurity researchers and industry experts that perform application security threat analysis, security analytics, and other security research.
Loving our content? Subscribe now!
Get the latest application security news, trends, tips and insights content from Contrast directly to your inbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast Security.