Over the course of Q3 2020, UKFast’s Threat Vision platform prevented 8.5 million cyber-attacks from eventualising across our clients’ networks. Using the data collected between July and August, we were able to identify the three most common cyber-attack vectors used by criminals to target UK businesses in the penultimate quarter of the year.
Number of cyber-attacks detected in Q3: 8.2 million
An attacker uses combinations of usernames and passwords, possibly obtained from a list of stolen credentials or through a phishing campaign targeting employees within your organisation. As the name suggests, the attacker attempts to force their way into your CMS, hammering your login page with known usernames and passwords until one is accepted.
The sole aim of this cyber-attack is to gain access to your account – or, in this particular case, access to your CMS – in order to leverage control over your systems, steal your data or carry out further attacks from inside your network.
CMS login attempts are simple in nature and there are some quick wins to be had:
Number of cyber-attacks detected in Q3: 5.85 million
In general, POST requests send data to your server. Whenever you leave a comment, post a tweet, share content or fill out a contact form on a website, you’re sending your content, and the data that comes with it, to the server as a POST request. This is normal and just an expected part of how the web works. So, what’s the issue?
For your typical server, there’s no limit to how many POST requests it can receive. This means that threat actors can flood your server with POST requests at any given moment, bombarding your infrastructure with huge amounts of data and eating into server resources and bandwidth. While your server may be able to handle a constant stream of malicious POST requests without too much distress at first, the cumulative effect of these requests is a seriously strained server struggling to function with diminished resources.
As well as slowing down your server’s response, or even crashing it entirely, often threat actors use these cyber-attacks to highlight further server vulnerabilities which they can exploit.
Number of cyber-attacks detected in Q3: 2.16 million
Your website links to locations on your server where the page is actually stored, but if the permissions are not correct on the server, hackers are able to break out of the director in which that particular file is stored. They do this by adding words into the URL, for example:
The forward slash triggers moving up a level in the folder tree, so instead of opening an image, that URL will open the ‘passwd’ file. In this case, three added words takes you to the top of the file structure and will then open the ‘/etc/passwd’ file. This happens when a web application uses functions that directly interact with the filesystem which is not very secure.
To protect against this, input validation should be implemented, which means files should only run if a set of allowed characters is met.
UKFast’s intelligent detection and response platform Threat Vision provides single-pane network visibility over internal and external threats to your website, with 24/7 in-house support to help you keep your site secure.
Looking to strengthen your security for 2021?