Why Bad Actors Attack Web Applications
Regardless of the motive, attacks against Web applications and specifically SQL injection attacks have proven to be the most effective way to penetrate networks for stealing data.
- Web application attacks account for only 54 percent of all data breaches, but 92 percent of stolen records
- SQL injection attacks account for only 25 percent of Web application attacks, but 89 percent of stolen records1
1. Verizon and US Secret Service Breach Study, 2009
Conditions at Barracuda Networks that Resulted in a Breach
- An error writing PHP code on our Web Site
- A planned code vulnerability scan was not performed in a timely manner on the part of the Web site that contained the PHP code error
- The Barracuda Web Application Firewall responsible for safeguarding the Web site was placed in passive mode through human error during a maintenance window
With vulnerable code and the Barracuda Web Application Firewall in passive mode, it was only a matter of time before an attack occurred. Based on the Barracuda Web Application Firewall’s logging and reporting features, here is how the attack occurred:
The Attack Timeline
Analysis of the AttackBarracuda Web Application Firewall logs allowed us to determine that our bad actors used two clients to probe and attack the barracudanetworks.com Web site:
The first attack started at 5:07pm PDT on April 9. The attackers’ IP address 126.96.36.199 resolved to the area of Kuala Lumpur, Malaysia. This log entry confirmed online reports that the attacks originated from Malaysia. We also noticed that the attackers used a modified version of a pentest tool designed by “white hats” to probe Web sites for SQL injection vulnerabilities. This log entry correlated with reports that the hacking team responsible for this attack frequented “white hat” online communities. We also found the same entries on our Web server logs. These log entries let us trace what types of attacks were attempted and which attacks succeeded on our backend systems.
From the logs captured in the Barracuda Web Application Firewall, it seems that the attacker used the second client to launch manual attacks against the discovered vulnerability while the primary attack script continued to scan the Web site to find other vulnerabilities. Ultimately, the attackers focused their efforts on a single line of weak code in a peripheral Web page where the input parameters had not been properly sanitized. Here is the pseudo-code of the underlying vulnerability:
<?=Foo_Function( $_GET[‘parameter’] )?> //Takes user input
By not sanitizing the input value, this code error let attackers inject SQL commands into the HTML input parameter to attack the underlying database.
Developers are taught to never trust user inputs; all inputs must be sanitized before sending them to underlying servers. However, you can see from the example above that it is not often obvious to the naked eye that something is wrong with the code. This is why, in addition to defensive coding, Barracuda Networks uses code scanners and our Barracuda Web Application Firewall to guard against possible vulnerabilities. Because of automated attacks, in a Web site of tens of thousands of lines of code, all it takes is a single mistake for an attack to succeed. We have since added a line of code that sanitizes inputs on the affected page to protect against future attacks:
$parameter = @is_sanitized($_GET[‘parameter’]) ? $_GET[‘ parameter ‘] : 0;
From Vulnerability to Breach
A Barracuda Networks’ systems administrator discovered the breach at 10:30am PDT and re-enabled the Barracuda Web Application Firewall to active mode at 10:39am PDT. The Barracuda Web Application Firewall immediately blocked all subsequent attacks from the 188.8.131.52 IP address. The attackers continued to cycle through attacks against the remaining Web pages for the next few hours with the Barracuda Web Application Firewall blocking all of the attacks. This attack profile supports our conclusion that the attackers used an automated pentest tool to blindly inject SQL commands. In all, the attackers sent a total of 110,892 SQL injection commands from both attacking IP addresses against 175 URLS at a rate of 42 per minute.
In tracing the Web Firewall and Access logs on the Barracuda Web Application Firewall, we determined that the attackers compromised a marketing database and stole two sets of records. A total of 21,861 names and emails were stolen from the database. Since there were a number of duplicates in the two sets and many of the entries were from users who are no longer with their original organizations, the number of affected users is substantially lower than the total stolen records.
Any breach is a serious issue. Although the team executing this attack appears to be fairly benign, data breaches like this one have been used to enable spearphishing attacks against affected users. We have already reached out to affected users with documentation and have advised of possible precautions they may wish to take. We believe that the users affected by the breach are at minimal risk. We do not store any sensitive information in our marketing database other than names and email addresses. Moreover, since Barracuda Networks primarily uses this customer data to send emails on upcoming events, Webinars, or corporate news updates, the risk of spearphishing is low as the all of communications are one-directional and informational in nature. Finally since most users are existing Barracuda Spam & Virus Firewall customers, the vast majority of potential spam would likely be blocked.
Barracuda Web Application Firewall Features:
- SQL injection flaws
- Cross Site Scripting (XSS)
- OS command injections
- Site reconnaissance
- Session hijacking
- Application denial of service
- Malicious probes/crawlers
- Cookie/session tampering
- Path traversal
- Outbound filtering to prevent information leakage (DLP)
- SSL Offloading
- SSL Acceleration
- Load Balancing
Contact a representative at Barracuda Networks today at: 1-888-ANTI-SPAM or visit: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php
Also available as virtual appliances.