Affordable and sophisticated attack toolkits and a number of Web-based plug-ins for popular content management systems led to an increase in Web-based attacks in 2010.
Cyber-attackers shifted away from traditional methods to Web-based attacks
in 2010, thanks to the proliferation of Web-based plug-ins and attack toolkits,
according to a new security report compiled by Hewlett-Packard.
Web-based attacks jumped from only a tenth of all attacks at the beginning
of 2010 to more than 70 percent of all attacks by the end of the year, HP
DVLabs found in its 2010
Top Cyber Security Risks Report
, released April 4. While there were still
attacks on networks and computers using other protocols, attacks against the
HTTP protocol became the most prevalent, the report found.
"We're seeing a huge explosion in web application attacks," Mike
Dausin, manager of advanced security intelligence for HP DVLabs, wrote in the
The initial shift in attack methods occurred in March 2010, when HTTP
attacks accounted for about half the total number of attacks. The second boost
came during the final quarter of 2010, when Web applications were targeted in
about 70 percent of the total attacks, according to the HP report.
Attackers are targeting multiple vulnerabilities at once and not just
focusing on one or two, Dausin wrote. The report used a successful PHP file-include
attack to illustrate its point, noting that the host was compromised after
being subject to 10 different attacks. In contrast, a typical attack using
traditional network protocols tended to hit one flaw at a time, the researchers
"They're sending a barrage of malicious requests, trying every tool
they have at their disposal," Dausin wrote.
The rise in Web-based attacks can be directly attributed to the increase in
sophisticated and relatively cheap attack toolkits, the report found. The
toolkits, with an estimated price of $2,400 for a high-end one, could be used
to create a botnet, which could then be rented out to other cyber-criminals or
used to launch other scams. The kits are also becoming more prevalent as
criminals modify existing kits and sell the customized versions to others.
The report also identified third-party plug-ins for content management
systems, such as Wordpress, Joomla and Drupal, as another leading cause of Web
application vulnerabilities. Plug-ins accounted for about 40 percent of the
vulnerabilities discovered between 2006 and 2009, but were about 60 percent in
2010. The researchers believe this may be a result of a more aggressive update
policy for the core modules on these platforms.
There were also more attacks recorded in 2010 overall. Even so, the number
of vulnerabilities discovered in software applications has leveled off in
recent years, with Web application flaws taking up a bigger proportion of
identified bugs. Web application holes currently comprise about half the total
However, the majority of attacks were against known and patched security
vulnerabilities. The attacks succeeded because administrators were behind in
applying patches. Many high-profile attacks did exploit new vulnerabilities before
vendors were able to issue fixes, the report found.
Almost all the attacks, regardless of type, appeared to be automated, but
Web-based attacks were more likely targeting individual hosts, as opposed to
spreading out to compromise as many hosts as possible.
HP DVLabs, which specializes in security vulnerability analysis and
discovery, looked at event data from deployed HP TippingPoint Intrusion
Prevention Systems for the report. Each event data refers to the information
collected by HP TippingPoint systems when an exploit triggered a security
filter. HP also used information collected from HP WebInspect software from HP
Fortify, the lab's own pay-for-vulnerability program Zero Day Initiative and
Open Source Vulnerability database, an open-source database created by the
security vulnerabilities community.
The security vulnerabilities uncovered at the recent Pwn2Own contest at
CanSecWest were entered into the Zero Day Initiative. HP paid for 320
vulnerabilities in 2010, most of which could be classified as critical, in
comparison to the 750 total bugs filed since the program's inception in 2005.
The report builds on the midyear report published by HP in 2010.