Hackers return to proven methods to gain remote control of systems, install malware, steal information and disrupt or disable business operations through denial-of-service attacks, the Barracuda reports.
The report's findings are based on an analysis of three months of detection data from the Intrusion Detection Systems (IDS) used by Barracuda’s Security Operations Center (SOC), part of Barracuda extended detection and response platform (XDR).
Top Malicious Tactics Identified
The top malicious tactics detected by Barracuda’s firewall IDS integration for February to April 2023:
- Directory traversal. First reported in 2008, any unprotected HTTP server is vulnerable.
- Web password access. Attackers target potentially misconfigured web servers.
- SQL injection: First reported in 2003, it's most commonly used against older, functional interfaces.
- Apache Tomcat remote code execution (RCE): Dates to 2011 version 7, unpatched RCE.
- User Data Protocol (UDP) flood: Any internet-facing unprotected system that provides UDP-based services is a potential target.
- PHP unit RCE: Successful attack would allow an attacker to execute code within a compromised PHP application and gain control of the system. Dates to 2017.
- ICMP sweep: Network scanning technique used maliciously on unprotected systems since 2006.
- PHP common gateway interface (CGI) argument injection: A misconfigured CGI setup is vulnerable to a malicious code injection. Dates from 2012.
Important Takeaways from the Report
Here are the key findings Barracuda reveals:
- Attackers try to gain remote control of vulnerable systems by using a tactic from 2008 that would let them take advantage of a misconfigured web server to get to data, such as application code or sensitive operating system files.
- A tactic designed to achieve the goal of remote-control dates from 2003. It involves trying to inject specially crafted malicious code into a legitimate process, allowing the attacker to read sensitive data, modify operations and send instructions to the operating system.
- Other established tactics target bugs in the programming languages that developers use to create applications which are integrated into common web-based systems or into “middleware” that processes data. This can occur when someone adds an item to their online shopping cart. The potential reach of a successful attack using these tactics is therefore extensive.
- Attackers try to capture sensitive information by targeting vulnerable servers to obtain passwords or lists of users, or by misusing a legitimate process to find out how many computers on a network have an active IP connection. This can help with planning and preparing for a bigger attack.
- Attackers are also trying to cause general chaos, disruption and denial of service by interfering with online traffic data packets.
In a blog post, Barracuda said that the "smallest signal" can foretell a "coming storm:"
“Our analysis of Barracuda’s IDS and the firewall IDS integrations shows that weaknesses don’t have a cut-off date. The danger is that over time they can become harder to locate and mitigate, reduced to deeply embedded, unknown and shadow vulnerabilities, integrated into a system or application developed by a colleague who left years ago.”
Research Maps to Global Cyberattacks
Barracuda’s Threat Spotlight comes in the wake of the wide-scale global cyberattacks allegedly executed by Chinese cyber spies. These bad actors exploited a software vulnerability in Barracuda’s email security gateway (ESG) to invade hundreds of organizations worldwide, including governments and foreign ministries.
In a blog post issued in late June, Mandiant said it had been recruited by Barracuda to help investigate a zero day vulnerability in its ESG appliances that had been exploited in the wild dating to October 2022. Mandiant identified a “suspected China-nexus” actor, tracked as UNC4841, and assessed with “high confidence” that the operatives are engaged in espionage activity in a China backed campaign.