More than half (57%) of web applications of banks, operators and online stores may not be protected from hacker attacks. They contain critical vulnerabilities that allow attackers to steal confidential data, run arbitrary code, and completely control the operation of the attacked resource.
Such conclusions were made by Rostelecom-Solar experts based on an analysis of the security of Russian companies. Izvestia got acquainted with the study. Experts point out that critical vulnerabilities have a cumulative effect – “holes” in servers appear again and again, and eventually a breakdown may occur in the system.
57% of web applications of companies from the industries of finance, IT, telecom, retail and others may contain critical vulnerabilities that allow hackers to steal confidential data, run arbitrary code and completely control the operation of the attacked resource. This is stated in the results of the analysis of the security of Russian companies, which Rostelecom-Solar experts conducted in the second half of 2020 – the first half of 2021. The authors of the work referred to web applications as sites that interact with users, for example, e-mail, personal account, corporate portal for employees.
– A poorly secured web application opens up many opportunities for attackers. This can be access to the company’s local network, control over the server, disruption of the application itself, the spread of malware, theft of a database, and more. At the same time, most of the vulnerabilities and flaws that we find during penetration testing have a fairly low complexity of exploitation, that is, even amateur hackers can carry out a successful attack with their help, not to mention professional cybercriminals, ” said the head of the security analysis department of the company. Rostelecom-Solar Alexander Kolesov.
The most common web vulnerabilities are incorrect configuration of access rights and disclosure of configuration data, according to the study. Incorrect setting of access rights allows the user to perform actions for which he should not have rights, for example, to raise the status of his account to the administrator level. When the configuration data is disclosed, the attacker obtains information about the structure of the web application, and in the logs, in addition to technical information, he can find personal data of customers and employees of the organization.
Critical vulnerabilities include local packages and programs that really allow arbitrary code to run or privilege escalation, noted Mikhail Levitin, R&D Director of Qrator Labs. But in order to carry out this launch, at least unprivileged, but still access to the servers is required, the expert drew attention.
Suppose one vulnerability allowed the launch of arbitrary code with administrator rights for local users, but the attacker did not have access to the server, Mikhail Levitin cited as an example. Several years later, another vulnerability could be discovered that allows local access to the server, but with ordinary user rights. And if at least one of these “holes” were patched, the problems would not have happened, the specialist said. But if the server is not updated, does not reboot for several years, such “holes” begin to accumulate in it, and eventually a breakdown may occur in the system, he explained.
Mouse on the pulse
Hackers can use vulnerabilities in web applications of companies to attack both companies themselves and their customers, said Yana Yurakova, an analyst at Positive Technologies. For example, these are attacks such as magecart (inserts malicious code into websites to steal customer data when placing an order), during which personal data and information about payment cards are collected, and watering hole (infection of devices of a narrow group of people), within which malicious ON. Even if a client of the company uses a vulnerable web application, but does not receive malware on his device or does not “give” confidential information to attackers, he can be attacked by methods of social engineering, Yana Yurakova warned.
Due to vulnerabilities in web applications, fraudsters can gain access to a database that contains all the information about a client necessary for an attack, the analyst added. An analysis of the security of web applications carried out by Positive Technologies showed that in 92% of cases, an attacker can conduct attacks on clients, and in 68%, important data may be leaked.
According to the company’s research, about seven out of ten ads on the dark web related to hacking sites, the main goal is to gain access to a web resource. At the same time, 86% of companies have at least one vector of penetration into the local network, which is associated with insufficient protection of web applications, according to Positive Technologies.
If cybercriminals break into telephony in a bank, they will be able to redirect incoming calls to a credit institution to their numbers, said Alexander Vetkol, a leading systems engineer at Varonis. This will allow them, for example, to “confirm” the identity of a fake employee and to lull the customer’s vigilance.
However, cybercriminals often do not hack into official structures, but only imitate them, including using hot news feeds, said Viktor Chebyshev, cybersecurity expert at Kaspersky Lab. From the latter – a wave of registrations of fake resources for the payment of social benefits, including the announced in June “Putin” benefits for schoolchildren, said Alexei Drozd, head of the information security department of SerchInform. Sites of well-known brands are steadily copying: from trading platforms (tickets, goods, delivery) to banks and government agencies, he added.
Users on the Internet should not launch suspicious attachments, open letters and messages about fabulous winnings and incredible promotions, Yana Yurakova recalled. Entering the site, you need to double-check the links in the address bar of the browser. To download applications to your smartphone, you should use the verified links on the official websites and not try to install any software from the messenger or on the website when it is not in the official application store. By downloading software from third-party and unverified resources, you can get ransomware as a gift, the specialist warned. The most effective way to avoid the threat is not to use the service and not provide data there, if there is even the slightest doubt, added Alexey Drozd. You can use the “analog” version of the desired service: come to a bank branch or company office and receive the service in person.