Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Imperva Threat Research. Show all posts

The Rise of Bots: Imperva's Report Reveals Rising Trends in Internet Traffic

 

In the intricate tapestry of the digital realm, where human interactions intertwine with automated processes, the rise of bots has become an undeniable phenomenon reshaping the landscape of internet traffic. Recent findings from cybersecurity leader Imperva unveil the multifaceted nature of this phenomenon, shedding light on the complex interplay between legitimate and malicious bot activities.
 
At the heart of Imperva's report lies a staggering statistic: 49.6% of global internet traffic originates from bots, marking the highest recorded level since the company commenced its analysis in 2013. This exponential surge in bot-driven activity underscores the growing reliance on automated systems to execute tasks traditionally performed by humans. From web scraping to automated interactions, bots play a pivotal role in shaping the digital ecosystem. 

However, not all bots operate with benign intentions. Imperva's study reveals a troubling trend: the proliferation of "bad bots." These nefarious entities, comprising 32% of all internet traffic in 2023, pose significant cybersecurity threats. Nanhi Singh, leading application security at Imperva, emphasizes the pervasive nature of these malicious actors, labeling them as one of the most pressing challenges facing industries worldwide. 

Bad bots, armed with sophisticated tactics, infiltrate networks with the aim of extracting sensitive information, perpetrating fraud, and spreading misinformation. From account takeovers to data breaches, the repercussions of bot-driven attacks are far-reaching and detrimental. Alarmingly, the report highlights a 10% increase in account takeovers in 2023, underscoring the urgency for proactive security measures. 

Geographical analysis further elucidates the global landscape of bot activity. Countries such as Ireland, Germany, and Mexico witness disproportionate levels of malicious bot traffic, posing significant challenges for cybersecurity professionals. Against this backdrop, organizations must adopt a proactive stance, implementing robust bot management strategies to safeguard against evolving threats. While the rise of bots presents formidable challenges, it also heralds opportunities for innovation and efficiency. 

Legitimate bots, such as AI-powered assistants like ChatGPT, enhance productivity and streamline processes. By leveraging generative AI, businesses can harness the power of automation to drive growth and innovation. Imperva's report serves as a clarion call for stakeholders across industries to recognize the complexities of internet traffic and adapt accordingly. 

As bot-driven activities continue to proliferate, a holistic approach to cybersecurity is imperative. From advanced threat detection to stringent access controls, organizations must fortify their defenses to mitigate risks and safeguard against evolving threats. 

Imperva's comprehensive analysis sheds light on the multifaceted nature of internet traffic dominated by bots. By understanding the nuances of bot behavior and implementing proactive security measures, businesses can navigate the digital landscape with confidence, ensuring resilience in the face of emerging cyber threats.

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE