It’s a known fact that the improvement of web application security filters also raised the sophistication level of malicious parties in their goal to abuse web applications. While some of the well known attack vectors are here for quite some time, the way these attacks are being executed was changed.

In the example below we can see a hacker using an attack vector to try and exploit remote arbitrary code execution on a FreePBX web application GUI that controls and manages Asterisk, the world's most popular open source telephony engine software.

In the first part of the attack, we can see that an attacker is trying to exploit a vulnerability by trying to upload PHP code to the application. This PHP code will be used as backdoor to the application, allowing the attacker to run system commands on the web server.

 

clip_image002

 

In the second part of the attack we can see how the attacker is trying to use the injected backdoor in order to retrieve data from the web server.

 

clip_image004

 

But here comes the most interesting part: When looking at the source countries of all requests that were classified as attacks (requests that look the same as the request in the second part of the attack) we can see that it is a distributed attack coming from all around the world, probably from infected computers controlled by the same attacker.

 

clip_image006

 

As mentioned above, attackers enhanced the way they execute web attacks by:

  • Exploiting generic vulnerabilities in order to get full control on the infected web server
  • Using distributed attacks in order to scale the impact of the attack
  • Using an army of infected computers in order to remain anonymous, without leaving any traces

These armies of infected computers scan the internet for vulnerable systems - that means you do not have to be a high profile website to be targeted.