Unlike a company’s system and infrastructure, an organization’s website is a public-facing asset that is at risk of constant attack. According to SiteLock, it could experience as many as 94 attacks a day. With attacks on website applications the second most common type of cybersecurity threat today, it’s crucial to monitor both direct and indirect threats to website security. For example, attackers may first target an organization’s network or system to infiltrate a website or website application.
Here are five threats to website security that can easily fly under the radar, and that a security team must be aware of.
API attacks occur when malicious actors gain unauthorized access to sensitive data. The most recent example of this is the MOVEit attack in June. The breach occurred when attackers exploited an API vulnerability via an SQL injection into the web application software, enabling them to steal data. As a supply chain attack, it was particularly significant because it not only impacted any company that used the file transfer software directly, but any company that relied even on a third-party that used the software.
Penetration testing, data encryption, the application of protocols such as OAuth 2.0 & OpenID and consistent software updates help mitigate against these attacks. In the case of MOVEit, solutions that map out the supply chain can be helpful in defending against these types of attacks.
Website spoofing attacks
Sometimes, however, an attack is directly on a website. Website spoofing is a cybersecurity threat that occurs when attackers create a fake version of a reputable brand’s website for phishing, social engineering, fraud and other malicious purposes. Although website spoofing has been around for years, the challenge for brands now is to detect website spoofing in real time, before customers are defrauded, confidential data is exposed and the brand’s reputation is damaged.
Even with the vast number of website monitoring, alerting and protection solutions in place, protecting brand websites from spoofing is not so simple.
Generative AI attacks
Generative AI tools, such as ChatGPT, can invite other indirect attacks to a website’s security, which is crucial to note, as these tools have taken society by storm and are being used by organizations in many capacities, such as generating content.
As great as its benefits are, it’s important to remember that generative AI can also be an effective tool for attackers, who leverage ChatGPT to send sophisticated phishing emails en masse. After successful phishing attacks, bad actors can easily use the information they’ve gathered to infiltrate a website and web applications.
Paradoxically, AI can also be used to detect the malicious use of tools such as ChatGPT, although they aren’t foolproof.
Advanced persistent threat (APT) attacks
Although APT attacks are not limited to attacking an organization’s website, they often attack the email, network, software, or physical computer systems. These cyberattacks usually target nation-states and large enterprises in which malicious actors go undetected for a long period to gain access to sensitive data, disrupt operations or conduct espionage or system/network destruction. These threat actors are often highly skilled and sophisticated groups, such as other nation-states and criminal gangs.
For example, the APT group Sea Turtle is known for its DNS hijacking attacks that have threatened the web security of global telecommunications companies this year. In one of their DNS hijacking techniques, the Iranian-backed group succeeded in changing the DNS settings to redirect traffic to their own infrastructure to make it easier to launch attacks and steal user credentials.
Vulnerability assessment, patch management and employing WAFs are a few strategies that can help mitigate these APT threats.
Malware injection attacks
Although malware is usually used to infect computer systems, it can be web-based.
Malware has been around since the beginning of the internet, but constant new evolutions on an old concept can make its mitigation challenging. For example, the new MockingJay process injection technique might allow malware to evade endpoint detection and response (EDR) technologies. Once the injection enters an organization’s system, it escalates privileges
Since EDR technology is the first line of defense for many organizations, it’s even more important for them to have backup measures in place such as: installing anti-virus software, educating employees not to click on non-verified links, employing multi-factor authentication and keeping software updated regularly.
Staying ahead of the cat and mouse game
Even with the best solutions in place, mitigation of web-based attacks is still challenging. In addition to sometimes attacking multiple vectors, these attacks often encompass more than one of the categories mentioned above. For example, the MOVEit attack mentioned above was both an API attack and an APT attack, executed by a CLop APT group responsible for ransomware. Generative AI can be used to quickly create spoofed websites. These threats constantly evolve, and it’s therefore crucial that solutions evolve as well to deliver the right technology to organizations so they can stay ahead of attackers’ latest moves.