News

  • Report

Share

Facebook Twitter linkedin
2022.08.09

Cyber Security Cloud Releases “2022 First Half Web Application Cyberattack Detection Report” Investigating Cyberattack Trends -Possibility of Attackers Shifting from the “Preparation Phase” to the “Attack Phase”-

Cyber Security Cloud, Inc., Ltd. (Headquarters: Shinagawa-ku, Tokyo, Representative Director, President and CEO: Toshihiro Koike, hereinafter "our company") announced the release of the Cyber Attack Detection Report on web applications covering the first half of 2022 (January 1 to June 30, 2022). 
In addition, this data is the cyber attack log observed by "WafCharm", a Cloud-based WAF that visualizes and blocks cyber-attacks on web applications provided by our company, and "Shadankun", an automated operation service for public cloud WAFs. are aggregated, analyzed and calculated.

■Survey overview
・ Survey period: January 1, 2022 to June 30, 2022
・Survey target: User accounts using “Shadankun” and “WafCharm”
・Investigation method: Analysis of cyber attack logs observed by “Shadankun” and “WafCharm”

■ The number of detections and attack trends for each type of attack
In the 181 days from January to June 2022, the total number of cyber-attacks on web applications detected by our company is 231,527,112. It is calculated that about 14.8 cyber attacks were detected per second.

Furthermore, if we classify the cyber-attacks detected by our company by attack type, in the first half of 2021, "Blacklisted user agents", which are attacks by bots using vulnerability scanning tools, etc., will be approximately 80 million, exceeding 39% of the total. In 2022, it was in second place, with about 65.2 million, or a little over 28%. The most frequently observed attack in the first half of 2021 was the ``Web attack'', which is an attack against a vulnerability in the software that makes up the web server, which was ranked second in the first half of 2021. And, compared to the first half of 2021, the number of detections has increased to more than double. The third place was "SQL injection," which intentionally targets system vulnerabilities and executes unexpected SQL statements to manipulate database systems illegally, accounting for approximately 22.45 million cases (9.7%). Next, there were about 20.65 million or 8.92% of "Web scans", which search and investigate the target of the attack and explore vulnerabilities with simple attacks that are performed at random.

During this research period, the results of the survey showed that "Web attacks," which target vulnerabilities in the software groups that make up Web servers, are quite conspicuous. In addition, the traditional attack that uses vulnerabilities to gain unauthorized access to web application databases and perform unauthorized operations such as theft, falsification, and deletion of important confidential data. Far from decreasing, the number of “SQL injection” detections has increased by more than 7 million since the second half of 2021. When an SQL injection attack is actually received, the important information stored there such as member's account ID information, credit card information, the company's important intellectual property and unique know-how, etc. are stolen, falsified, deleted, and web applications are falsified. Users may be redirected to malicious sites or infected with malware.

■ Possibility of attackers shifting from the "preparation phase" to the "attack phase"
SQL injection is an attack method that illegally manipulates the databases of web applications. "am.

In addition, SQL injection can be technically divided into several types.

・In-band SQL Injection: A method of investigating and analyzing vulnerabilities based on responses to input to web applications, and injecting malicious SQL statements based on the discovered vulnerabilities to attack.

・Error-based SQL injection: A method of intentionally outputting an error message to a web application, investigating and analyzing vulnerabilities, etc., and injecting malicious SQL statements based on the discovered vulnerabilities to attack.

・Blind SQL injection: Checking the difference in the response pages for multiple SQL transmissions and stealing information about the database management system from there = It is difficult to notice the attack just by looking at the response page, so if you do not take countermeasures, it will be a serious problem. You may not notice it at all until the damage is extensive.

There are other techniques such as multiple statements, UNION injection, etc.

Similarly, there is "cross-site scripting (XSS)" as an attack method that targets web applications. This is not directly related to the presence or absence of a database, but a malicious script is installed in a vulnerable web application, the script is executed on the terminal of the user who touched the web application, and the user is led to the attacker's fake website. (= cross-site) (or execute information theft by malicious script on the spot without transition: this pattern is increasing recently) attack method. The major difference between XSS and SQL injection is that the direct attack target is "the user who uses the target web application".

Victims caused by these attacks are not only the service operators, but the direct victims are the owners of the stolen information, that is, the service users. And for them, when their information is stolen or misused, it is very likely that the direct perpetrator for them will be the "service operator".

The fact that the detection of these attack methods has been on the rise continuously since the second half of 2021 means that not only has the number of cases of direct attacks increased, We cannot deny the possibility that it is gradually shifting to the attack phase based on the information on various targets obtained during the preparation period, that is, during the action for the purpose of investigation.

■ About the world situation we are currently facing
In the first half of 2022, events that have a major impact on our lives, such as international and large-scale changes in the social situation and the resulting economic instability, have occurred and are still continuing. With the help of this unstable situation, the revival and unprecedented spread of the malware "Emotet", which was supposed to have been taken down in January 2021, and the emergence of variants that have deepened and changed in various ways, are extremely significant. As a threat, it is now raging all over the world, including Japan.

The scale of ransomware attacks continues to be extremely large, and this year in particular, there have been many cases in which small and medium-sized enterprises were targeted. On the dark web, tools and solutions that enable such attacks to be set up and executed easily and at low cost, as well as attack proxy services, etc., are being sold, and the number of so-called casual attacks is steadily increasing. It is no exaggeration to say that today, anyone can easily carry out advanced cyber-attacks.

Conventional security measures, as well as monitoring by endpoint security and SOC, which are extensions of these measures, are more likely to detect when something has happened, i.e., post-investigation. is insufficient. This is because ransomware is an attack that "stops business" whether it is for ransom or destruction, so monitoring does not contribute much to "resuming business", which is the top priority for the parties involved. For such threats, it is essential to have "advance preparation" = "measures that reflect the actual situation on the premise that it will happen".

■Finally
During long vacations, there are cases where system administrators are absent for a long period of time, as the IPA (Information-technology Promotion Agency) etc. have warned, and there is a possibility of delays in dealing with problems. Therefore, make sure to prepare well in advance before the long vacation, such as the response flow in the event of an emergency and the establishment of special rules during the vacation period related to taking out equipment and data.

In addition, regarding the end of the vacation, there are many cases where updates have been prepared by manufacturers, etc. during the long vacation for equipment that was turned off during the long vacation. Follow the instructions of your system administrator, etc. to apply such patch programs and update definition files as appropriate. However, there are quite a few attackers who attempt to install malware through pop-ups disguised as updates. It is better to be careful to perform the update according to the regular procedure.

Similarly, there are many cases of suspicious emails arriving after the holidays, and there is a possibility that the URL in the email will lead you to a phishing site, or you may be infected with malware. Don't touch the URL, first check the response method with the system administrator, etc. and make sure to follow the instructions.

We live in an era in which anyone can easily become an attacker, and cyber warfare between large organizations such as nations is becoming commonplace. In the future, it will be important to stop thinking on the premise that you will not be attacked, to have an awareness that you are also a party, and to understand and prepare in advance so that you can protect yourself at a minimum. In the DX society, where digital technology exists as a matter of course, Japan, which is said to be not only a security underdeveloped country but also a digital underdeveloped country, will become a more convenient and secure country in the future. I think that this kind of effort by one person will take on more and more meaning.

[About Cyber Security Cloud, Inc., Ltd.]
Company name: Cyber Security Cloud, Inc., Ltd.
Location: JR Tokyu Meguro Building 13F, 3-1-1 Kamiosaki, Shinagawa-ku, Tokyo 150-0011
Representative: Toshihiro Koike, Representative Director, President and CEO
Established: August 2010
URL: https://www.cscloud.co.jp/