In recent years, a number of new data privacy laws have gone into effect. While the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are some of the most visible and well-known examples of these, they are far from the only ones.
These new privacy laws join the ranks of existing regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accessibility Act (HIPAA).
While many of these regulations differ in their jurisdictions and requirements, they share certain features. One of these shared features is the requirement to protect certain types of or "personally identifiable information".
While the types of protected PII can vary from regulation to regulation, the attack vectors that cybercriminals use to gain access to it often do not. Web applications are a common target of attack since they are exposed to the public Internet and often exploitable vulnerabilities.
A recent attack against sites based upon WordPress demonstrates the creativity of cybercriminals in search of sensitive customer data. The attack targeted configuration files, which could contain database credentials. These credentials, if stolen, could allow an attacker to gain access to sensitive customer data.
1] Web Applications are a Common Target of Attacks
Web applications are a prime target for cybercriminals. These applications are designed to face the public Internet, contain a great deal of functionality for users, and often have access to sensitive data stored on backend systems.
This combination makes it relatively easy for cybercriminals to exploit these devices. The complexity of the modern web application - and its reliance upon a number of external libraries - means that it is highly probable that a web application contains a vulnerability.
In fact, the average web application contains 22 vulnerabilities, of which 4 are of critical severity.
While some vulnerabilities exist due to errors in code developed in-house, cybercriminals often target more general vulnerabilities.
Many websites rely upon WordPress or similar platforms, and these platforms often allow a website developer to import plugins developed by third-parties that provide desirable functionality (like implementing a shopping cart for an e-commerce page or providing user analytics).
Vulnerabilities in these platforms and the plugins that they contain can impact thousands or millions of different websites, making them a high-impact target for a cybercriminal's efforts.
2] WordPress Attack Targets Sensitive Configuration Files
The WordPress platform is a common target of cyberattacks due to its wide adoption. A significant percentage of websites use WordPress, so it is frequently the target of large-scale attacks.
One example of such an attack occurred in June 2020. During the attack, the threat actor attempted to exploit a wide range of old vulnerabilities in the WordPress platform. Their target was access to wp-config.php files.
These files contain configuration information for the WordPress site, potentially including credentials for a backend database. With these stolen credentials, an attacker could access the database directly and query it for sensitive customer information such as email addresses, passwords, and other PII.
This attack did not exploit a zero-day vulnerability; in fact, it targeted old, well-known vulnerabilities. However, it was notable for its scale.
At its peak, the attack accounted for 75% of all attacks against WordPress, meaning that attack volumes were three times higher than all other WordPress attackers put together.
3] The Challenges of Managing Web Application Vulnerabilities
The WordPress attack was detected by Wordfence, which was able to detect and block attacks against the WordPress sites that it protects. However, many other sites are not protected by Wordfence and may have been successfully exploited.
As mentioned, this attack takes advantage of known vulnerabilities in the WordPress platform, meaning that it should have a near-zero success rate. If an organization has patched vulnerabilities in their WordPress platforms by keeping the software updated, then the exploit will fail.
However, vulnerability management in general (and web application vulnerability management in particular) is a challenge for most organizations.
New vulnerabilities are discovered and reported on a daily basis, and an organization must determine which vulnerabilities impact its systems, test to ensure that updates don't break existing software, and deploy the patches to production environments. All of this takes time and resources, making it difficult for many organizations to keep up.
4] Protecting Sensitive Data Stored in Web Apps
Data protection regulations like the GDPR and the CCPA mandate protection of individuals' personal data. While this data can be targeted and breached in a number of different ways, exploitation of web application vulnerabilities is a common method because these applications are publicly exposed and have direct access to sensitive data.
An attack against WordPress users demonstrated the cleverness of cybercriminals attempting to gain access to sensitive information.
The attackers exploited known vulnerabilities in an attempt to gain access to files that contained database credentials. These credentials could be used to access databases containing customer PII.
This attack's use of known attacks demonstrated the importance of vulnerability management and many organizations' inability to keep up with required patching. This underscores the importance of deploying a robust web application firewall (WAF) capable of virtual patching.
By blocking attacks before they reach vulnerable applications, a robust WAF can eliminate the threat to the application without the overhead associated with manual patch management processes.