How Bad Actors Exploit Applications with Attacks

Many of today’s applications are built in bite-sized container clusters and deployed across many different locations. This distributed approach contributes to both performance and resiliency. However, it also makes protecting apps difficult and complex.

Meanwhile, attacks on applications and their ecosystems are more prevalent and sophisticated.

Cybercriminals regularly exploit application vulnerabilities and easily bypass many security controls. As organizations seek to become more vigilant and grow their resilience to evolving threats, it is necessary to understand how cybercriminals think, operate, and exploit apps.

Cybercriminals Follow the Money

Note that the attackers themselves need not be technically sophisticated, as there are plenty of free tools and services they use and routinely share among each other.

Their psychology, usually, is to follow the money. In a digital economy, this means targeting web and mobile applications to exploit any vulnerabilities and abuse app logic to gain access.

Cybercriminals continually scan for application weaknesses and look for open or weak application gateways. Here are three typical kinds of attacks (in ascending order of sophistication and potential value of the target):

• Common attacks target known vulnerabilities such as those indicated in the OWASP Top 10.
• Zero-day attacks target vulnerabilities that are not known or anticipated.
• Advanced persistent attacks are sophisticated campaigns that may even be state-sponsored.

It is also worth noting that cyberattacks not only target web and mobile applications but also server infrastructure, data, and devices. For this blog we’re focusing on the application, and we'll now dive a little deeper into some of the more common attacks.

Applications are Target-Rich

Attackers exploit applications because they are entry points to vast amounts of valuable data that cybercriminals can leverage for weaponization and profit.

Areas that hackers target include the application code itself, the server infrastructure upon which the app resides, and add-ons (such as code libraries or plug-ins) that bring additional functionality to the app.

According to F5 Labs' 2022 Application Protection Report, access-related breaches—including phishing, credential stuffing, and injection attacks—are the leading attack vectors, accounting for approximately 25% of all web app breaches. A close second is malware, which account for 24% of web app breaches. As mentioned, the goal of these app attacks is to gain access to your most valuable data in the easiest way possible.

The Devastating Effects of Application Attacks

Let us quickly walk through a common scenario of a basic injection attack. It begins with the attacker launching a set of automated reconnaissance scans, leveraging bots to achieve scale while looking for vulnerabilities:

1. Attacker identifies an opening, typically an unsecured gate or access point in an application.
2. They then exploit that vulnerability to inject malicious code (malware), establishing a presence from which to execute commands remotely.
3. Once the malicious code is running, the attacker will likely seek options to gain further access for purposes of deeper penetration, command and control, reconnaissance or espionage, or theft.
4. The app and underlying data are now compromised.

The scenario above is remarkably simple. Frequently injection attacks are far more sophisticated and menacing. Imagine an attacker injecting a command to delete all the data in the app, causing a digital product or service to go down entirely. Or imagine if a command were to expose a credit card database table.

These kinds of attacks can lead to devastating outcomes. App outages can cause loss of revenue and reputation, and cost millions of dollars in remediation. For consumers, it could mean a bad user experience, or worse: theft of their personal information.

Understanding Other Common Attack Types

Once an attacker has breached an application, they often exploit browser vulnerabilities through web apps. The goal may be to steal users’ credentials for subsequent account takeover, or to directly takeover users’ sessions in real time.

They can also run malicious code in a victim’s browser (often referred to as formjacking) to submit false requests that appear to come from the genuine user. This can have serious implications for both individuals (whose identities are used for fraudulent account openings or credit applications) and organizations (which are often left to absorb the losses). Therefore, it is critical for everyone to guard against phishing attempts and to never re-use passwords, whether for personal use or at work.

Another widely used attack is a Denial of Service (DoS) that floods an application with automated, bot-delivered requests to introduce stress and render the application slow or even worse, ineffective. Distributed Denial of Service (DDoS) attacks that originate from multiple computers (known as a botnet) are generally even more effective. Frequently the nodes (or computers) in a botnet are consumers’ devices that are infected with malware. This only underscores the importance of protecting devices from malware and other cyberattacks.

While cybercriminals’ motivations and attack approaches vary, a baseline understanding of these common attack types and prevention methods can be helpful.

Everyone has a part to play in cyber defense. In the video below, we share a few high-level pointers on how to safeguard against phishing, smishing, and general social engineering tactics that bad actors commonly use to exploit applications.
 

Next in this four-part series for Cybersecurity Awareness Month, we will explore further how F5 protects your accounts from fraud.

Part 1: How Modern Applications Are Built and Deployed

Part 2: (currently viewing)