Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

Q3 2020’s most common cyber-attacks explained

16 November 2020 by Yasmin Duggal

SecurityOver the course of Q3 2020, UKFast’s Threat Vision platform prevented 8.5 million cyber-attacks from eventualising across our clients’ networks. Using the data collected between July and August, we were able to identify the three most common cyber-attack vectors used by criminals to target UK businesses ithe penultimate quarter of the year. 
 

1. CMS login attempts 

Number of cyber-attacks detected in Q3:  8.2 million 

How does it work? 

An attacker uses combinations of usernames and passwords, possibly obtained from a list of stolen credentials or through a phishing campaign targeting employees within your organisation. As the name suggests, the attacker attempts to force their way into your CMS, hammering your login page with known usernames and passwords until one is accepted. 

The sole aim of this cyber-attack is to gain access to your account – or, in this particular case, access to your CMS – in order to leverage control over your systems, steal your data or carry out further attacks from inside your network.  

What can you do? 

CMS login attempts are simple in nature and there are some quick wins to be had: 

  • Ensure that all default credentials (both usernames and passwords) have been changed across your whole network. This is one of the easiest ways for hackers gain access to your accounts but a basic security measure many of us forget – this includes your Wi-Fi password! 
  • Invest in an intrusion detection or intrusion prevention service. These spot any suspicious activity including, for instance, someone trying many different combinations of usernames and passwords. The intrusion detection software blocks the IP address, dramatically reducing the chances of a successful brute force hack. 

 2. WordPress POST requests 

Number of cyber-attacks detected in Q3:  5.85 million 

How does it work? 

In general, POST requests send data to your server. Whenever you leave a comment, post a tweet, share content or fill out a contact form on a website, you’re sending your content, and the data that comes with it, to the server as a POST request. This is normal and just an expected part of how the web works. So, what’s the issue? 

For your typical server, theres no limit to how many POST requests it can receive. This means that threat actors can flood your server with POST requests at any given moment, bombarding your infrastructure with huge amounts of data and eating into server resources and bandwidth.  While your server may be able to handle a constant stream of malicious POST requests without too much distress at first, the cumulative effect of these requests is a seriously strained server struggling to function with diminished resources. 

As well as slowing down your server’s response, or even crashing it entirely, often threat actors use these cyber-attacks to highlight further server vulnerabilities which they can exploit. 

What can you do? 

  • Monitor: Monitor POST requests and ensure your monitoring scripts allow you to see the actual content of the request, so you can determine if it is indeed malicious. 
  • Detect: Detecting POST requests requires a simple log search for the word POST and noting the type, URL and HTTP protocol of the request. These three aspects of the log data make it possible to identify a malicious POST request, though log files do vary depending on your server configuration. 
  • Block: After a period of monitoring, form a strategy for which POST requests are valid or accepted on your site and implement a ruleset which blocks invalid requests while ensuring valid requests make it to your server. 

3. Suspicious URL access

Number of cyber-attacks detected in Q3:  2.16 million 

How does it work? 

Your website links to locations on your server where the page is actually stored, but if the permissions are not correct on the serverhackers are able to break out of the director in which that particular file is stored. They do this by adding words into the URL, for example: 

https://insecure-website.com/loadImage?filename=../../../etc/passwd   

The forward slash triggers moving up a level in the folder tree, so instead of opening an image, that URL will open the passwd file. In this case, three added words takes you to the top of the file structure and will then open the /etc/passwd file. This happens when a web application uses functions that directly interact with the filesystem which is not very secure 

What can you do? 

To protect against this, input validation should be implemented, which means files should only run if a set of allowed characters is met.  

UKFast’s intelligent detection and response platform Threat Vision provides single-pane network visibility over internal and external threats to your website, with 24/7 in-house support to help you keep your site secure. 

Looking to strengthen your security for 2021?

EXPLORE THREAT VISION