Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 28 May, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Attacks On Internet’s “Weakest Link” Continue Unabated.

by The Gurus
November 12, 2019
in Featured, Network Security
Cloud Security motherboard
Share on FacebookShare on Twitter

New threat intelligence from F5 Labs has highlighted the increasing vulnerability of a programming language used in over 80% of the world’s websites.

According to F5 Labs’ data partner Loryka, 81% of malicious traffic monitored in the wild in 2018 was PHP-related. This represents a 23% rise compared to 2017. Monitoring focused on initial reconnaissance campaigns looking for admin surfaces to compromise as part of a broader attack chain.

Featuring in the first instalment F5 Lab’s Application Protection Report 2019, the research also notes that PHP accounted for 68% of all of 2018’s published exploits on the Exploit Database.

“The volume and relentless nature of PHP exploits are alarming but unsurprising,” said Sander Vinberg, Threat Research Evangelist, F5 Labs.

“Based on our research, we predict that it will remain one of the Internet’s weakest links and broadest attack surfaces for the foreseeable future.”

As a part of its analysis, F5 Labs also shed light on specific PHP attack tactics.

Loryka’s sensors identify connection attempts and capture data such as source IP and target URL. Attackers often cycle through billions of targets looking for opportunities to attack, so the target domain or IP address is not significant. However, the back half of the target URL contains the target file or path. This is the specific location on a web server that the attacker is targeting across all their target IPs. It also reveals a lot about an attacker’s goals and tactics.

For example, Loryka noted that a huge portion of traffic focused on just seven paths or filenames. All seven are commonly used for managing phpMyAdmin (also known as PMA), which is a PHP web application used for managing MySQL databases.

42% of the 1.5M unique events targeting more than 100,000 different URL were aimed at one of the following:

www.example.com/PMA2011/
www.example.com/pma2011/
www.example.com/PMA2012/
www.example.com/phpmyadmin3/
www.example.com/pma2012/
www.example.com/phpmyadmin4/
www.example.com/phpmyadmin2/

The traffic volume targeting these was found to be almost identical from path to path, with less than a 3% difference between most and least frequent volume. The timing of the campaigns targeting these paths was also close to identical, with traffic spiking in coordination.

On closer inspection, F5 Labs discovered that 87% of the traffic pointed at the common phpMyAdmin paths stemmed from just two IPs out of the 66,000 IPs hitting Loryka’s sensors. These two IPs represented 37% of all monitored traffic in 2018. All traffic from the compromised IPs pointed at the seven PMA paths. No other single IP matched this volume of traffic or replicated its patterns – even when targeting the same paths.

Interestingly, the two IPs came from systems based on a North American university campus.

“Basically, unknown actors used a small number of compromised systems on university networks to look for specific targets: old and probably neglected MySQL databases with weak authentication,” Vinberg explained.

“These actors have defined a narrow set of target parameters but are scanning the entire web from a small number of addresses—and are not trying too hard to cover their tracks. Given that SQL injection was the most common PHP attack, it seems that the threat landscape is going to look similar this year.”

Vinberg added that mitigating the risk from these kind of campaigns should be relatively straightforward – provided system owners are aware of what is on their network.

“Whitelisting authentication pages for admin surfaces is an easy way to prevent a recon campaign of this nature from escalating,” he said.

“A robust access control program with strong passwords or multifactor authentication would also mitigate the risk of credential stuffing or escalation from a phishing campaign that might follow reconnaissance activities.”

F5 Lab’s PHP analysis is the first chapter of the Application Protection Report 2019. Additional instalments will be published throughout the year.

FacebookTweetLinkedIn
Share1Tweet
Previous Post

Future Proofing Cybersecurity – Securing Against An Arsenal Of New Technology.

Next Post

Automation Will Improve Security Function,

Recent News

SnapDragon Monitoring scam advice

Tips to Protect Against Holiday and Airline Scams

May 25, 2023
Access Segmentation & Encryption Management from MyCena

New security model launched to eliminate 95% of cyber breaches

May 25, 2023
KnowBe4 Helps Organisations Battle QR Code Phishing Attacks With New Tool

KnowBe4 Helps Organisations Battle QR Code Phishing Attacks With New Tool

May 25, 2023
Purple Logo, capitalised letters: SALT.

Salt Security Uncovers API Security Flaws in Expo Framework, Issues have been Remediated

May 24, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information