- Top five attacks alone contributed to over 54% of all cyberattacks blocked by Barracuda Networks.
- Organisations looking to bolster their defences should look for a WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection, as a minimum, and also make sure it is properly configured.
Cybercriminals are increasingly turning to bots and automation to make their attacks more efficient and effective and help them avoid detection.
Automated attacks use bots to try to exploit vulnerabilities in web applications and these attacks can range from fake bots posing as Google bots to avoid detection to application DDoS trying to crash a site by subtly overloading the application.
In December, Barracuda researchers analysed a sample of two months of data on web application attacks blocked by Barracuda systems and found a massive number of automated attacks.
The top five attacks alone contributed to over 54 per cent of all cyberattacks blocked by Barracuda in November and December 2020.
Tushar Richabadas, Senior Product Marketing Manager at Barracuda Networks, said that automated attacks can overwhelm or infiltrate web applications, and defending against all the varieties of automated attacks can be daunting.
The most significant attack type recorded were fuzzing attacks, which use automation to try to find and exploit the points at which applications break – one in five (19.5 per cent) of attacks recorded by Barracuda researchers were diagnosed as Fuzzing attacks.
Hackers still consider classic web app attacks
The second most significant attack types were made up by Injection Attacks, contributing 12 per cent to the total recorded. These use automated tools like sqlmap to try to get into applications, and they often involve script-kiddie level noise – attacks being thrown at an application without reconnaissance to customise the breach attempt.
‘Fake Bots’, a close third, accounting for just over 12 per cent of the web application attacks analysed. Application DDoS (distributed denial of service) was also surprisingly prevalent, making up more than 9 per cent of the sample Barracuda researchers analysed. Finally, a small portion of attacks (less than 2 per cent) come from bots blocked by site admins.
Barracuda Networks revealed that although bot traffic is a fast-growing problem, it doesn’t mean cybercriminals are moving away from their old standbys, as a large part of the attacks analysed are what could be considered classic web app attacks, such as injection attacks and cross-site scripting (XSS). Most of the attack traffic came from reconnaissance tools or fuzzing tools being used to probe applications.
However, Richabadas said that the good news is that multi-purpose solutions are consolidating into Web Application Firewall and WAF-as-a-Service solutions, also known as Web Application and API Protection services (WAAP).
“Organisations looking to bolster their defences against this growing threat should look for a WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection, as a minimum, and also make sure it is properly configured.
“It is also important to stay informed about current threats and how they are evolving so that your business can be defended against them. Over the coming year we can expect automated bot attacks, attacks against APIs, and attacks against software supply chains to develop in quantity and sophistication, especially as these newer attacks have fewer protections and defences blocking them,” he said.