The recent defacing of the Army Public website has been making big news. According to Newsweek:
The hackers first started tweeting about the hack around 1 p.m., writing messages like “Hacked by the Syrian Electronic Army” in pop ups and posting a screenshot of users of the U.S. army’s website, including entire email addresses of military members.
The website was taken down by 3 p.m., though the hackers saved an archive of the site. The hackers claimed they had posted an image stated “The defender of honor, Syrian Arab Army” on the website.
The most important takeaway here is that just because your hosting service or CDN or cloud provider says that they provide “a secure environment”, it (almost) never means that they secure your web applications as well. That responsibility squarely falls on your own shoulders. Organization should query their providers regarding web application security specific features and explore avenues of supplementing these.
Next, while this is making big news, website defacements are a very common threat to website owners. Data from Zone-H suggests that in the last 5 Years, around 5.5 million sites were defaced, at an average of over ~1 million per year.
Whitehats need to think about web site defacement holistically, rather that kneejerk reactions, as there are multiple threat vectors involved. They need to think about how to protect their web applications, server, users, and devices as well as secure remote access.
Web application and server vulnerabilities allows adversaries to control your web server directly through known and unknown (0-day) attacks including insecure file uploads, SQL injection, command injection, remote file inclusions, or unpatched vulnerabilities like Shellshock, Heartbleed, etc. Most of these attacks can provide access to the underlying OS or result in the installation of remote access trojans (RATs). From here, it is trivial to deface the websites.
Admins and Devices are frequently targeted with phishing, spear phishing, social engineering attacks coupled with social media stalking. Successful attacks result in installing malware on their systems that can harvest credentials and log keystrokes among other things. Most users also use same passwords across multiple on-prem, cloud, private and official services that makes credential theft a huge risk. Once the website administration panel’s credentials are known, defacement is straightforward.
Watering Hole Attacks (aka Strategic Web Compromises) also target the admins, but indirectly. Attackers first profile the admins as to what sites they might be visiting and then hack those websites to serve browser-based malware. The attackers have no real interest in the hacked website, but use it as a means to ensnare unsuspecting visitors (admins). According to the Verizon DBIR 2015 reports, nearly 70% of the attacks where a motive for the attack is known belonged to this category.
Insufficient authentication like the lack of two-factor authentication, weak passwords and insecure remote access remain one of the most common exploit vectors against web applications.
However, if you are like most organizations you are probably plagued with security silos, skills shortage, insufficient security budgets, and disjoint buying and management centers within your organization.
Our security products suite including Barracuda Web Application Firewall, Barracuda Firewall, Barracuda NG Firewall and Barracuda Web Filter are part of the Barracuda Total Threat Protection initiative, which is aimed at providing powerful, integrated security protection across multiple threat vectors at an affordable cost. Barracuda Total Threat Protection is designed to protect multiple threat vectors – including email, web applications, remote access, web browsing by network users, mobile Internet access, and network perimeters – that span private and public cloud deployments. It includes the combination of award-winning security solutions, a common management interface, a single point of support, and affordability. For additional information on Barracuda Total Threat Protection, visit http://cuda.co/ttp.