CONTRAST LABS: November AppSec Threat Intelligence Report
Contrast Labs analysis of real world attack data from November.
Observations
- Overall attack traffic was down in November from our highs in August. Once again this month, virtually every application/API was attacked, and some were continuously targeted across the month. We recorded hundreds of attackers from over 250 cities around the world.
- Only a fraction of these attacks actually connected with their corresponding vulnerability. Unlike a WAF, NG-WAF, or filter-based RASP, Contrast’s instrumentation-based RASP implementation differentiates between probes that don't reach their targeted vulnerability, dangerous attacks that do reach their target, and successful expoits of those vulnerabilities.
- Path traversal has eclipsed XSS and SQLi as the leading attack vector this month, and XSS fell to third place after leading for months. Finally, the large spike in Padding Oracle attacks that we observed in October has returned to normal low levels.
- This month revealed the emergence of attacks on CVE-2016-3081, to add to all the other Struts2 OGNL Injection problems. Clearly attackers are swarming on Struts2, but don't forget that all CVEs are likely to be attacked using automated tools. Attacks on novel CVEs typically start within a day, so you should have an up-to-date database of every version of every library in your portfolio, and establish infrastructure to respond within a day.
- Interestingly, this month we saw another significant increase in non-Struts2 OGNL injection attacks, which started showing up in October. Although the current attack levels are not high, it's worth ensuring that you aren't susceptible before it gets bad.
Top Attack Vectors
Table 1. Top Attack Vectors for November 2017
|
ATTACK TYPE |
% OF TOTAL |
|
path-traversal |
34.38% ↑ |
|
sql-injection |
30.90% ↑ |
|
reflected-xss |
24.62% ↓ |
|
cmd-injection |
6.15% ↓ |
|
cve-2017-9791 (Struts2 OGNL Injection) |
1.44% ↓ |
|
cve-2013-2251 (Struts2 OGNL Injection) |
1.20% ↑ |
|
cve-2017-5638 (Struts2 OGNL Injection) |
0.78% ↓ |
|
cve-2016-4438 (Struts2 OGNL Injection) |
0.37% ↓ |
|
ognl-injection |
0.10% ↑ |
|
cve-2016-3081 (Struts2 OGNL Injection) |
0.06% ↑ |
|
padding-oracle |
0.00% ↓ |
|
JBoss Remote Exploit |
0.00% ↑ |
Attack Geolocation
Not much change in the countries doing the attacking. The United States, Poland, Netherlands, and France were responsible for the majority of attacks. As always, we caution that attackers may be using hosts in the United States to launch their attacks.
Table 2. Top Attack Volume by Country for November 2017
|
COUNTRY |
% OF TOTAL |
| United States | 48.36% ↓ |
| Poland | 9.52% ↑ |
| Netherlands | 2.84% ↓ |
| France | 2.17% ↓ |
| Pakistan | 1.24% ↓ |
| Croatia | 1.20% ↑ |
| Canada | 0.26% ↑ |
| India | 0.07% ↑ |
| China | 0.01% ↑ |
| Hong Kong | 0.01% ↓ |
| Germany | 0.00% ↑ |
| Romania | 0.00% ↑ |
Table 3. Top Attack Volume by City for November 2017
|
CITY |
COUNTRY |
% OF TOTAL |
|
Chesterfield |
US |
18.87% |
|
Ashburn |
US |
13.21% |
|
San Jose |
US |
7.86% |
|
Columbus |
US |
3.62% |
|
Parkville |
US |
2.75% |
|
Karachi |
Pakistan |
1.26% |
|
Pula |
Croatia |
1.23% |
|
Kansas City |
US |
0.31% |
|
New York |
US |
0.30% |
|
Evansville |
US |
0.08% |
Contrast Labs
Contrast Labs is a team of accomplished cybersecurity researchers and industry experts that perform application security threat analysis, security analytics, and other security research.
Loving our content? Subscribe now!
Get the latest application security news, trends, tips and insights content from Contrast directly to your inbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast Security.