Web attacks in November 2018

December 1, 2018

The first step in a web attack begins with mass-scanning the web for vulnerable applications and/or servers. When unpatched software is identified, an attempt is made to exploit the vulnerability. Any vulnerability in the web application, database, operating system or in the network will lead to an attack on the web server.

Successful exploitation could lead to information disclosure, denial-of-service conditions or achieve arbitrary code execution with the privileges of the server.

SonicWall Threat Research Lab has observed attempts to exploit unpatched vulnerabilities on the web.  Find below the software list that were most attacked in November 2018.

PhpMyadmin:
phpMyAdmin is a free software tool written in PHP, which helps users to perform the administration task on MySQL and MariaDB over the Web user interface. phpMyAdmin supports a wide range of operations like managing databases, tables, columns, relations, indexes, users, and permissions via the Web user interface.

Apache Struts2:
Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller architecture

TomCat:
Apache Tomcat, often referred to as Tomcat Server, is an open-source Java Servlet Container developed by the Apache Software Foundation. Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

JBoss:
JBoss Enterprise Application Platform (EAP) is an application server written in Java, which implements the Java Platform, Enterprise Edition (Java EE) specification.

Oracle WebLogic:
Oracle WebLogic Server is an enterprise-class multi-tier Java Application Server platform. WebLogic is typically used as a platform for large enterprise web applications. The components of the WebLogic Platform include an Application Server, Portal, Application Integration service and HTTP web server.

Internet Information Server (IIS) :
The Internet Information Server (IIS) is a collection of Internet services packaged with several versions of the Windows operating system. IIS includes a Web server service that is capable of serving static, as well as dynamic content.

WordPress:
WordPress is a free and open-source content management system based on PHP and MySQL. Features include a plugin architecture and a template system.

How to mitigate?

1. Use latest software and apply security patches whenever they are available
2. Do not use default credentials
3. Do not use default configuration
4. Turn off all unnecessary features by default
4. Secure configuration files

How to configure SonicWall Web Application Firewall (WAF) to protect against a whole suite of web attacks such as Cross-site scripting, SQL Injection, OS Command Injection, and many more:
https://www.sonicwall.com/en-us/support/technical-documentation/web-application-firewall
How to configure SonicWall firewall to prevent brute force attacks:
https://www.sonicwall.com/en-us/support/knowledge-base/171006033550997
How to block Denial of Service attacks using Intrusion Prevention:
https://www.sonicwall.com/en-us/support/knowledge-base/170502507163643
How to protect SQL servers from Injection attacks:
https://www.sonicwall.com/en-us/support/knowledge-base/170504288959461