Attackers are quick to exploit new opportunities for attack. The reporting of the Log4J bug in December 2021, for example, is believed to have led to a 150% increase in exploit activity the following year. However, an analysis of Barracuda’s threat detection data shows that attackers rely extensively on long established approaches and home in on weaknesses that have often also been around for years.
Barracuda’s 24/7 Security Operations Center (SOC), part of Barracuda XDR, supports multiple Intrusion Detection Systems (IDS), including the Barracuda IDS tool and integration with multiple advanced firewall IDS’s. The Barracuda IDS tool features rule-based signatures that automatically identify suspicious or malicious activities that could be legitimate but are also associated with known malware, hacking attempts, or other types of security threat. Barracuda’s firewall IDS integrations provide a deeper level of detection that identifies known attack patterns based on signatures.
Together, these detection systems provide not just a powerful early warning system of potential attack – they also reveal the enduring weaknesses that attackers are targeting and the most popular tactics they are using to do so.
Top malicious tactics detected in early 2023 by Barracuda’s firewall IDS integration
Aim of attack: To compromise and gain remote control of vulnerable systems
A directory or path traversal attack
The most prevalent malicious signature detected by our Firewall IDS integration in early 2023 was a directory traversal attack, also known as path traversal. This tactic allows attackers to exploit a misconfigured web server to get to data they should not have access to, and which is stored outside the main (web root) directory. A traversal attack can sometimes allow attackers to upload malicious files and execute demands. This tactic was first reported in 2008 and any unprotected HTTP server is vulnerable.
Aim of attack: To compromise and gain remote control of vulnerable systems
Next in terms of prevalence is this high severity tactic that allows an attacker to interfere with the queries that an application makes to its database, by injecting specially crafted malicious code. The code injection technique can allow the attacker to read sensitive data, modify administrative operations, and send commands to the operating system of the vulnerable server. This tactic was first reported in 2003, although today it is more commonly used against older functional interfaces. In 2022, it was listed as the third most dangerous software weakness according to CWE.
Apache Tomcat – remote code execution (RCE)
This tactic involves attackers trying to exploit an unpatched RCE vulnerability in Apache Tomcat, affecting products since version 7, which was released in 2011. Apache Tomcat is a widely used open-source server for deploying Java-based web applications.
RCE vulnerabilities allow attacks to remotely gain control of a system and execute commands to install malware or other malicious code on a target’s computers or network. The attackers don’t need physical access to the computer. Because of this, RCE vulnerabilities are almost always classed as critical. Apache Tomcat has had multiple reported code vulnerabilities over the years, with 20 CVEs (common vulnerability and exposures) listed for the product that carry a severity of 7.5 or higher, and many related software patches have been issued.
PHPUnit – RCE
This detection identifies attempts to exploit an RCE bug against PHPUnit, a testing environment for applications written in the “PHP” programming language. PHP applications can be found in common content management systems such as WordPress and MailChimp or other third-party modules, so the potential scope of a successful security breach is extensive. A successful attack would allow an attacker to execute code within a compromised PHP application and gain control of the system in which is it embedded. The vulnerability dates from 2017.
PHP Common Gateway Interface code injection
As above, PHP is a general-purpose programming language generally used for web development — it’s estimated that about 80% of web pages rely on PHP frameworks. This attack tactic, which dates from 2012 targets PHP’s Common Gateway Interface (CGI). CGI is the so-called “middleware” between a web server and external databases and information sources. Areas where CGI is used include, for example, when a customer adds a product to their online shopping cart, or when someone enters data in an online form and presses “send.” In each case, the information is automatically processed by a CGI script and sent to the server. If the CGI setup has been misconfigured it is vulnerable to a malicious code injection that will allow an attacker to gain remote control of the system.
Aim of attack: To obtain sensitive information
Web Server password file access
This is an opportunistic attack where attackers target potentially misconfigured web servers in an attempt to access lists of local users and their password information, which should be restricted. If successful, the stolen credentials can be used to breach the network.
ICMP or “ping” sweep
This is a network scanning technique that is used both legitimately and maliciously to determine whether any of a range of IP addresses are linked to an active device such as a computer, by sending out a “ping.” The sweep can ping multiple IPs and devices at the same time. The tactic is used by security teams for network monitoring, to identify which IP addresses are in use or available, while attackers can use it for reconnaissance and pre-planning before launching an attack. All unprotected systems connected to the internet are potential targets and attackers have been implementing this tactic since 2006.
Aim of attack: Disruption/denial of service
The User Data Protocol (UDP) is a core communications protocol used to send bits of data across the internet, from one IP to another. This protocol is used when speed of data transfer is more important than accuracy and reliability, for example during live broadcasts or online gaming. The faster speeds are achieved in part through reduced error checking. A “UDP Flood” occurs when the rate of UDP data packets being sent to an IP address, for example a random port on a target system, exceeds a defined threshold and the system crashes resulting in a denial of service (DoS). Any unprotected system that is connected to the internet and provides UDP-based services is a potential target.
Top suspicious tactics detected in early 2023 by Barracuda’s IDS tool
The Barracuda IDS detections highlight the many millions of potential or early-stage attacks targeting organizations everywhere, every minute of every day. Not all the detections are malicious, some just flag a detection that potentially violates a corporate security policy (marked “ET POLICY’ and “ET INFO”.)
It would be easy to dismiss these detections as background noise. But it’s worth taking a closer look at what’s on the list as it reveals tactics that, if successful, could lead to a significantly more serious incident.
For example, the most prevalent Barracuda IDS detection between February and April 2023 was for requests to access an invalid or non-existent domain name (the “Host Header”). If the target server implicitly trusts or fails to validate incoming Host Headers and allows access, it could enable attackers to inject a malicious payload via SQL injection.
Peer-to-peer activity (“P2P” the second most prevalent detection) can be perfectly legitimate, such as the automated transfer of Windows updates between connected computers — but it can also be abused by attackers for the bot-like amplification of an attack, such as a DoS attack, or as a channel for command-and-control communications after a target has been compromised.
There were also high detection numbers for inbound attacks involving the SMB (Server Message Block, “SMB2”) protocol, a network protocol that allows computers to share files and hardware such as printers and external hard drives when connected to the same network. Barracuda IDS’s top detections for February through April 2023 include requests to capture and open both executable and batch (automated command script) files. The SMB protocol can be abused for brute force attacks, adversary-in-the-middle attacks, buffer overflow (memory flooding), ransomware and remote code execution. The infamous WannaCry attack leveraged SMB vulnerabilities.
Many of the top threats detected through the Barracuda IDS tool are potential enablers of DoS attacks. For example, as mentioned above, UDP packets transmit information at speed across the internet. Very small data packets can increase the packet-per-second transmission rate, overloading the destination hardware and causing it to fail (“UDP data packets too small”). At the other end of the scale, if the data packets being sent are too large, they fragment (“FRAG IPv4 Fragmentation overlap”). A denial of service can be instigated if the receiving network can’t reassemble the fragments because they are overlapping, fraudulent, duplicates, out-of-sequence etc. leading to network overload and DoS.
Session Traversal Utilities for NAT (STUN), and Generic Routing Encapsulation (GRE) — the use of one routing protocol inside another — are also enablers of DoS attacks and botnets.
Conclusion: the danger hiding in the noise
Intrusion detection tools are powerful early warning systems. Our analysis of Barracuda’s IDS and the firewall IDS integrations shows that weaknesses don’t have a cut-off date. The danger is that over time they can become harder to locate and mitigate, reduced to deeply embedded, unknown and shadow vulnerabilities, integrated into a system or application developed by a colleague who left years ago.
A multilayered approach to protection that has several levels of increasingly deep detection and scrutiny is essential. This should sit within an overall security framework that comprises robust next generation security technologies, backed by expert analysis to catch unknowns and anomalies that might otherwise slip through the net — and to respond to and mitigate the threats.
The smallest signal can be the harbinger of a coming storm. Don’t discount the noise but don’t let it overwhelm you either — if you don’t have the time or expertise in-house, a managed XDR service that includes a SOC can keep watch over every corner of your IT environment for you, all day, every day.
Photo: Gorodenkoff / Shutterstock