Application attacks demand new security approach

Large-scale attacks on Oracle WebLogic Servers underline the need for a change from defensive approaches to a continuous proactive approach to application security, according to security experts.

Security researchers at Qihoo 360 Netlab and Sans Internet Storm Center (ISC) report that two groups have begun large-scale attacks following the publication of proof of concept exploits for an Oracle WebLogic Server remote code execution vulnerability, despite the release of security updates for the vulnerability.

A similar pattern of attacks was seen in January and May 2018 when other WebLogic vulnerabilities went public and cyber criminals exploited the flaws on unpatched versions to install illicit cryptocurrency miners on hundreds of victims’ machines.

According to researchers at Qihoo 360 Netlab, one campaign identified as the luoxk campaign is exploiting the recently disclosed and patched vulnerability (CVE-2018-2893) for various activities such as distributed denial of service (DDoS) attacks, installing remote access Trojans (Rats), deploying illicit cryptocurrency miners and distributing malicious Android Package Kits.

By its nature, software patching is reactive and always leaves gaps in coverage, said Satya Gupta, chief technology officer and co-founder of security firm Virsec.

“But the reality in practice is much worse. Even well-run organisations can take months to consistently patch servers – and that’s if they know exactly what they have,” he said.

Once a vulnerability has been discovered, Gupta said cyber attackers were very adept at finding web servers that remained vulnerable.

“Of course you should patch whenever possible, but it’s easier said than done. We need to move to a model where applications are protected ‘as is’, regardless of their patch level,” he added.

Sharon Vardi, chief marketing officer at autonomous application protection firm Prevoty, said staying on top of patches was extremely challenging.

“Not only is there an influx in vulnerability disclosures year after year, but patch deployment requires detailed due diligence, including testing and validation. Vulnerabilities are frictionless weapons, meaning the moment they’re disclosed, they can be turned around and exploited against the public in nefarious ways at scale,” he said.

Incidents such as the Oracle WebLogic server attacks highlight the importance of protecting applications from attacks that use known and zero-day vulnerabilities, said Vardi.

“Vulnerability and patch management inherently require a lot of time and resources. And organisations can’t keep up with nefarious actors’ turnaround times,” he said.

Autonomous application protection technology, said Vardi, is designed to address this problem by providing immediate, permanent patches.

“This not only ensures that the window of exposure never opens, but it also buys time for organisations to remediate vulnerabilities on their own schedules,” he said.