Weekly web attack trends
Weekly web attack trends help you see when web attacks are most prevalent. This can help you plan ahead to prevent and respond to web attacks during peak periods.
The graph below shows the web attacks detected by AIWAF in May 2024.
You can see that in May 2024, we detected over 200,000 attacks per day on average, with the highest number of attacks occurring on days 10-12.
The highest number of attempted SQL Injection attacks on days 10-12 is one of the patterns that has many detection conditions in our AIWAF.
However, SQL Injection is something we are always monitoring because there are many new attack types and evasion methods.
Web Attack Trends by Attack Type
Based on the detection logs, you can see which attacks were popular during the month by viewing the web attack trends by attack type.
Based on this, you can establish basic web attack response guidelines to prevent and respond to these types of attacks.
The graph below shows the web attacks detected by AIWAF as of May 2024.
SQL Injection (38.79%) was the most common type of attack detected, followed by Default Page (29.6%), Application Vulnerability (11.3%), and Directory Traversal (7.56%).
SQL Injection is the most diverse and dangerous attack, as it is ranked #1 by OWASP.
It is an attack that forces malicious SQL statements into SQL syntax that dynamically generates data based on user requests, which can cause vulnerable applications to authenticate or return abnormal SQL results.
If you see unusual syntax in your query values, you should suspect an attack.
The Default Page attempts to access a file from an unusual path or bypasses authorization to access the file directly.
These are not files typically used by web services, so be suspicious of malicious intent.
Summary of web attack trend graphs for the last 3 months
February
March
April
Top 30 Attacker IPs
Vulnerability Analysis Report
[XZ Utils Backdoor]
1. Overview
The XZ Utils backdoor is a backdoor that has been prepared by attackers since 2001 and was discovered when a malicious user injected malware into the publicly available open source XZ repository and deployed it without proper validation.
The vulnerability was initially reported as an SSH authentication bypass backdoor, but upon further analysis, it was changed to an RCE vulnerability.
XZ Utils and its base library, liblzma, are open source projects that build lzma compression and decompression.
They are included by default in many Linux distributions, are very popular with developers, and are widely used throughout the Linux ecosystem.
2. Attack Analysis
The XZ Utils backdoor consists of several elements and has been introduced several times.
Element B-1
- Use of IFUNC in the build process to hijack symbol resolution capabilities with malware
- Inclusion of obfuscated and hidden shared objects in test files
- Execution of a set of scripts that extract shared objects during the library build process
- Disabling landlocking, a security feature that limits process privileges.
B-2 Execution Chain
- During the library's build process, the malicious script build-to-host.m4 is executed to decode the test file bad-3-corrupt_lzma2.xz into a bash script.
- The bash script runs a more complex decoding process on another test file, good-large_compressed.lzma, which is then decoded by another script
This script extracts the shared object liblzma_la-crc64-fast.o, which is added to liblzma's compilation process
The picture above illustrates B-1 elements, B-2 execution chain
<Source : https://x.com/fr0gger_/status/1774342248437813525>
B-3 Execute RCE
- After executing the above items, the function checks whether it is an attacker or not, extracts the command from the authentication client's certificate and passes it to the system() function to execute the RCE before authentication.
<Source : https://www.akamai.com/ko/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know>
3. Countermeasures
Backdoor malware is a difficult vulnerability to pattern because it requires a preliminary action such as uploading a file, and it is difficult to detect binary malware as a pattern because it requires a process of planting the malware.
We are monitoring for cases similar to the XZ Utils vulnerability.
4. Conclusion
XZ Utils is a backdoor malware that can take commands from an attacker on an infected system and perform functions such as executing commands.
Open source software supply chain attacks such as this cannot be prevented by simple piecemeal methods such as secure coding or penetration testing, so countermeasures must be considered from a variety of perspectives. Supply chain attacks on open source such as this vulnerability require special attention.
Our MONITORAPP is constantly monitoring for the latest vulnerabilities.
5. References
https://ko.wikipedia.org/wiki/XZ_Utils
https://yozm.wishket.com/magazine/detail/2597/