Many of today’s applications are built in bite-sized container clusters and deployed across many different locations. This distributed approach contributes to both performance and resiliency. However, it also makes protecting apps difficult and complex.
Meanwhile, attacks on applications and their ecosystems are more prevalent and sophisticated.
Cybercriminals regularly exploit application vulnerabilities and easily bypass many security controls. As organizations seek to become more vigilant and grow their resilience to evolving threats, it is necessary to understand how cybercriminals think, operate, and exploit apps.
Cybercriminals Follow the Money
Note that the attackers themselves need not be technically sophisticated, as there are plenty of free tools and services they use and routinely share among each other.
Their psychology, usually, is to follow the money. In a digital economy, this means targeting web and mobile applications to exploit any vulnerabilities and abuse app logic to gain access.
Cybercriminals continually scan for application weaknesses and look for open or weak application gateways. Here are three typical kinds of attacks (in ascending order of sophistication and potential value of the target):
- Common attacks target known vulnerabilities such as those indicated in the OWASP Top 10.
- Zero-day attacks target vulnerabilities that are not known or anticipated.
- Advanced persistent attacks are sophisticated campaigns that may even be state-sponsored.
It is also worth noting that cyberattacks not only target web and mobile applications but also server infrastructure, data, and devices. For this blog we’re focusing on the application, and we'll now dive a little deeper into some of the more common attacks.
Applications are Target-Rich
Attackers exploit applications because they are entry points to vast amounts of valuable data that cybercriminals can leverage for weaponization and profit.
Areas that hackers target include the application code itself, the server infrastructure upon which the app resides, and add-ons (such as code libraries or plug-ins) that bring additional functionality to the app.
According to F5 Labs' 2022 Application Protection Report, access-related breaches—including phishing, credential stuffing, and injection attacks—are the leading attack vectors, accounting for approximately 25% of all web app breaches. A close second is malware, which account for 24% of web app breaches. As mentioned, the goal of these app attacks is to gain access to your most valuable data in the easiest way possible.
The Devastating Effects of Application Attacks
Let us quickly walk through a common scenario of a basic injection attack. It begins with the attacker launching a set of automated reconnaissance scans, leveraging bots to achieve scale while looking for vulnerabilities:
- Attacker identifies an opening, typically an unsecured gate or access point in an application.
- They then exploit that vulnerability to inject malicious code (malware), establishing a presence from which to execute commands remotely.
- Once the malicious code is running, the attacker will likely seek options to gain further access for purposes of deeper penetration, command and control, reconnaissance or espionage, or theft.
- The app and underlying data are now compromised.
The scenario above is remarkably simple. Frequently injection attacks are far more sophisticated and menacing. Imagine an attacker injecting a command to delete all the data in the app, causing a digital product or service to go down entirely. Or imagine if a command were to expose a credit card database table.
These kinds of attacks can lead to devastating outcomes. App outages can cause loss of revenue and reputation, and cost millions of dollars in remediation. For consumers, it could mean a bad user experience, or worse: theft of their personal information.
Understanding Other Common Attack Types
Once an attacker has breached an application, they often exploit browser vulnerabilities through web apps. The goal may be to steal users’ credentials for subsequent account takeover, or to directly takeover users’ sessions in real time.
They can also run malicious code in a victim’s browser (often referred to as formjacking) to submit false requests that appear to come from the genuine user. This can have serious implications for both individuals (whose identities are used for fraudulent account openings or credit applications) and organizations (which are often left to absorb the losses). Therefore, it is critical for everyone to guard against phishing attempts and to never re-use passwords, whether for personal use or at work.
Another widely used attack is a Denial of Service (DoS) that floods an application with automated, bot-delivered requests to introduce stress and render the application slow or even worse, ineffective. Distributed Denial of Service (DDoS) attacks that originate from multiple computers (known as a botnet) are generally even more effective. Frequently the nodes (or computers) in a botnet are consumers’ devices that are infected with malware. This only underscores the importance of protecting devices from malware and other cyberattacks.
While cybercriminals’ motivations and attack approaches vary, a baseline understanding of these common attack types and prevention methods can be helpful.
Everyone has a part to play in cyber defense. In the video below, we share a few high-level pointers on how to safeguard against phishing, smishing, and general social engineering tactics that bad actors commonly use to exploit applications.
Next in this four-part series for Cybersecurity Awareness Month, we will explore further how F5 protects your accounts from fraud.
Part 1: How Modern Applications Are Built and Deployed
Part 2: (currently viewing)
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...