Cyber-Criminals Use Botnets, Automation to Launch Multiple Blended Attacks

Cyber-criminals have embraced automated tools to expand the number of targets and to exploit multiple attack vectors.

The average large business sees 27 attacks per minute hitting its Website. Attackers can use automation technologies to generate up to seven attacks per second, or 25,000 attacks per hour.

Security firm Imperva uncovered these figures after analyzing more than 10 million Web application attacks that targeted Websites belonging to 30 large businesses and government agencies between January 2011 and May 2011, according to the report released July 25. The Web Application Attack Report (WAR) also analyzed anonymized traffic.

Cyber-criminals are increasingly using automation and botnets to carry out their attacks, the report found. IT departments aren't the only ones that rely on automated tools to speed up operations, after all. The way criminals are automating their attacks is "one of the most significant innovations in criminal history," Rob Rachwald, director of security strategy at Imperva, in a blog post.

"You can't automate car theft or purse snatching-but you can automate data theft," Rachwald wrote, predicting that cyber-crime will soon exceed physical crime in terms of financial impact as more attackers rely on automation.

While some of the attacks called for highly complex programs, many were launched by relatively simple scripts, the researchers found. Attackers could point the single script at a large number of targets to launch simultaneous attacks or to attack several sites in sequence. Many of the scripts are readily available with instructions on how to use them on various sites online.

Many of the scripts are also based on the Metasploit penetration testing platform, a legitimate security testing tool often used by cyber-criminals to uncover security holes, Imperva found. The tool comes with hundreds of automated exploits and malware payloads that attackers can use.

Attackers are likely to combine several techniques instead of relying on a single attack method, Imperva's researchers discovered. Directory traversal, a method used to identify what files are on the system and to access those files that weren't intended to be publicly accessible, may be used during the "reconnaissance phase" before launching an exploit, such as a remote-file-include (RFI), Imperva wrote in its report.

Directory traversal was the most prevalent Web attack according to Imperva's analysis, accounting for 37 percent of the attacks. Another 36 percent of the attacks were cross-site scripting, followed by SQL injection, at 23 percent. With the exception of directory traversal, the most prevalent attacks against Web applications Imperva identified also showed up on the list of top 25 Web vulnerabilities released by the SANS Institute late June.

Attackers often employed those techniques in combination, whether to steal data, surreptitiously install malware on servers, or simply create a denial of service. "For example, a hacker may use directory traversal during a reconnaissance phase of the combined attack to identify the directory structure of an attacked server before sending an additional effective exploit vector, such as an RFI," according to the report.

Even though Imperva didn't analyze any of the attacks perpetrated by cyber-prankster group LulzSec and hacker collective Anonymous, the researchers said their findings mirrored the groups' focus on stealing data by attacking the Web application. "The battlefield has shifted to applications and databases and away from network firewalls and anti-virus," Rachwald wrote.

More than 61 percent of attacks originated from botnets with zombies in the United States, Imperva found. The other countries named in the report were China, at 9 percent, Sweden with 4 percent and France with 2 percent. However, it is "increasingly difficult" to trace attacks to specific entities or organizations despite figuring out the country of origin, Rachwald said. Not being able to trace the attacks makes it difficult to shut down cyber-criminal gangs or identify potential acts of war, according to Rachwald.

And not being able to identify perpetrators behind specific cyber-incidents is one of the reasons it would be difficult for the Department of Defense to react to cyber-attacks as an act of war.

Imperva predicted that government-sponsored cyber-attacks against critical infrastructure will become more sophisticated as attackers expand on techniques already being used by attackers against commercial targets.