Attack Toolkits, Web Plug-ins Top Cyber-Weapons in 2010: HP

Affordable and sophisticated attack toolkits and a number of Web-based plug-ins for popular content management systems led to an increase in Web-based attacks in 2010.

Cyber-attackers shifted away from traditional methods to Web-based attacks in 2010, thanks to the proliferation of Web-based plug-ins and attack toolkits, according to a new security report compiled by Hewlett-Packard.

Web-based attacks jumped from only a tenth of all attacks at the beginning of 2010 to more than 70 percent of all attacks by the end of the year, HP DVLabs found in its 2010 Top Cyber Security Risks Report, released April 4. While there were still attacks on networks and computers using other protocols, attacks against the HTTP protocol became the most prevalent, the report found.

"We're seeing a huge explosion in web application attacks," Mike Dausin, manager of advanced security intelligence for HP DVLabs, wrote in the report.

The initial shift in attack methods occurred in March 2010, when HTTP attacks accounted for about half the total number of attacks. The second boost came during the final quarter of 2010, when Web applications were targeted in about 70 percent of the total attacks, according to the HP report.

Attackers are targeting multiple vulnerabilities at once and not just focusing on one or two, Dausin wrote. The report used a successful PHP file-include attack to illustrate its point, noting that the host was compromised after being subject to 10 different attacks. In contrast, a typical attack using traditional network protocols tended to hit one flaw at a time, the researchers said.

"They're sending a barrage of malicious requests, trying every tool they have at their disposal," Dausin wrote.

The rise in Web-based attacks can be directly attributed to the increase in sophisticated and relatively cheap attack toolkits, the report found. The toolkits, with an estimated price of $2,400 for a high-end one, could be used to create a botnet, which could then be rented out to other cyber-criminals or used to launch other scams. The kits are also becoming more prevalent as criminals modify existing kits and sell the customized versions to others.

The report also identified third-party plug-ins for content management systems, such as Wordpress, Joomla and Drupal, as another leading cause of Web application vulnerabilities. Plug-ins accounted for about 40 percent of the vulnerabilities discovered between 2006 and 2009, but were about 60 percent in 2010. The researchers believe this may be a result of a more aggressive update policy for the core modules on these platforms.

There were also more attacks recorded in 2010 overall. Even so, the number of vulnerabilities discovered in software applications has leveled off in recent years, with Web application flaws taking up a bigger proportion of identified bugs. Web application holes currently comprise about half the total discovered flaws.

However, the majority of attacks were against known and patched security vulnerabilities. The attacks succeeded because administrators were behind in applying patches. Many high-profile attacks did exploit new vulnerabilities before vendors were able to issue fixes, the report found.

Almost all the attacks, regardless of type, appeared to be automated, but Web-based attacks were more likely targeting individual hosts, as opposed to spreading out to compromise as many hosts as possible.

HP DVLabs, which specializes in security vulnerability analysis and discovery, looked at event data from deployed HP TippingPoint Intrusion Prevention Systems for the report. Each event data refers to the information collected by HP TippingPoint systems when an exploit triggered a security filter. HP also used information collected from HP WebInspect software from HP Fortify, the lab's own pay-for-vulnerability program Zero Day Initiative and Open Source Vulnerability database, an open-source database created by the security vulnerabilities community.

The security vulnerabilities uncovered at the recent Pwn2Own contest at CanSecWest were entered into the Zero Day Initiative. HP paid for 320 vulnerabilities in 2010, most of which could be classified as critical, in comparison to the 750 total bugs filed since the program's inception in 2005.

The report builds on the midyear report published by HP in 2010.