March 14, 2023

Article at Sean Michael on Authory

Attackers Target Microsoft Exchange, According to Cloudflare Application Security Report

Application Security Report

Cloudflare sees a lot of the world’s internet traffic and no small amount of that traffic is malicious.

Cloudflare released new data today on the state of Application Security in 2023, based on the company’s visibility from handling an average of 45 million HTTP requests per second. The data includes new details on attacks that Cloudflare has mitigates with its Web Application Firewall (WAF) technology, showing what attackers are actually targeting.

Cloudflare CTO John Graham-Cumming told SDxCentral that the new 2023 data marks the first time his company is publishing individual WAF Managed Rule category matches over the 12 month time period.

“The variation in attack patterns was one of the biggest surprises and really highlights the diversity of ongoing attacks across the network,” Graham-Cumming said. “We are still receiving hits from CVE [common vulnerabilities and exposures]-specific rules written over eight years ago.”

Featured Article

AWS Shares the Top Takeaways From MWC

AWS Shares the Top Takeaways From MWC

Sponsored by Amazon Web Services (AWS)

SDxCentral CEO Matt Palmer and AWS VP of Global Telecom Adolfo Hernandez discuss how AWS developed telecom-specific services and solutions.

Read More

WAF Mitigations Reveal Attacks on Microsoft Exchange

The top attack vectors against HTTP traffic that the Cloudflare WAF has mitigated over the last 12 months are a mix of different common techniques used by attackers.

Topping the list is HTTP Anomaly at 30%, followed by Directory Traversal at 16%, and SQL injection (SQLi) at 14%. Cross Site Scripting (XSS) came in at 9%.

“Most CVEs are actually exploited by generic attack payloads such as XSS, SQLi , and are therefore blocked by our generic rules,” Graham-Cumming said. “That’s why, overall, most mitigated traffic is classified with generic categories.”

WAF technology also provides insight into application security specific applications that are being targeted. While the open source WordPress content management system (CMS) has long been a primary target of web application hackers, it actually isn’t the most attacked application, according to Cloudflare. That dubious distinction in 2023 falls on MicrosoftExchange.

“The Microsoft Exchange rules match by a factor greater than 10x the WordPress rules,” Graham-Cumming said.

As opposed to looking for a specific web vulnerability or using an HTTP attack technique, the Microsoft Exchange attack mitigations triggered by the Cloudflare WAF rules are all credential stuffing. A credential stuffing attack is one where the attack attempt to use or ‘stuff’ a password that has been stolen from a breached site.

“We log a rule match only when a login attempt is made with a username/password pair that has been leaked.

APIs role in Application Security

Cloudflare also has visibility into API driven traffic, which is increasingly being driven by web browsers. According to the report, 65% of global API traffic is generated by browsers that pull content from different API endpoints as part of a service.

Graham-Cumming said that the volume of API traffic overall highlights the growing importance of API management technologies, even for standard web development.

“This is reflected in our roadmap as we improve offerings such as our API Gateway that help companies manage, route and secure API endpoints,” he said.

Looking at API traffic only, Graham-Cumming said that SQLi was the top attack vector for a short period of time last year. He noted that although Cloudflare does expect specific attack types such as SQLi to be much more frequent against API endpoints compared to others. That said he commented that HTTP anomalies are by far the most common signature group tested by malicious scanners on the internet.

While it’s difficult to predict exactly what will happen with web application security in the future, one thing is clear.

“Application security issues are here to stay,” Graham-Cumming said.