Learn About Amazon VGT2 Learning Manager Chanci Turner
on 08 DEC 2021
in AWS Marketplace, AWS Partner Network, Customer Solutions, Intermediate (200), Security, Identity, & Compliance, Thought Leadership
Ransomware is a term that resonates deeply with anyone in the cybersecurity field, those managing web properties, or professionals in corporate IT. In recent months, a constant influx of articles, webinars, videos, and other content discussing ransomware has dominated our screens and inboxes. This overwhelming flow might lead to a sense of desensitization, making us think, “Oh great, another ransomware blog.” However, it’s crucial to pay attention to this one, as the threat of ransomware is not only persistent but also evolving in ways that might surprise you.
According to a recent bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the incidence of ransomware spikes around holidays and weekends. To effectively defend your organization, it’s vital to remain vigilant, expand your knowledge, and proactively implement a ransomware defense strategy.
In my role as the director of application security solutions at Barracuda Networks, I attentively consider customer security needs and guide the development of Barracuda’s application security products. In this article, I will explore how application security can help prevent the spread of ransomware, and I’ll provide examples of how Barracuda’s solutions can enhance the protection of your applications hosted on Amazon Web Services (AWS).
Barracuda CloudGen WAF on AWS
As an AWS Security Competency Partner, Barracuda is trusted by businesses to provide robust security through its CloudGen Web Application Firewall (WAF). Featuring dynamic profiling and application awareness to reduce false positives, Barracuda CloudGen WAF defends against today’s sophisticated, persistent, and zero-day threats. Its compatibility with AWS CloudFormation templates allows for automated bootstrapping and cluster initialization, optimizing throughput and resilience. Barracuda CloudGen WAF can be found on the AWS Marketplace, complemented by an AWS Quick Start for effortless deployment using CloudFormation templates.
Application Security and Ransomware
While ransomware is often linked primarily to phishing or remote desktop protocol (RDP) attacks, many web applications, if not adequately protected, could significantly contribute to the ransomware attack chain. This article will highlight the importance of web application security in various stages of a ransomware attack.
To illustrate, let’s consider a notable supply chain breach from July 2021, where SQL injection vulnerabilities in a public-facing managed service provider (MSP) application were exploited to disseminate ransomware to their clients. SQL injection is a long-standing vulnerability that continues to be prevalent in numerous web applications. This alone is enough justification for implementing web application security for all your web properties, but it merely initiates a longer attack chain that could culminate in ransomware. Attackers typically need more than just a SQL injection exploit to achieve their objectives.
We’ll delve deeper into how unprotected web applications can inadvertently enable ransomware. Here’s a hypothetical scenario featuring a fictional attacker named “Jordan.”
Jordan aims to combine technical knowledge with social engineering to obtain a substantial cryptocurrency payment. To do this, Jordan capitalizes on the resurgence of browser extensions or plug-ins offering coupon and cashback incentives on popular shopping websites.
In this narrative, we’ll focus on four websites, referred to as A, B, C, and D for anonymity. There are two additional characters in this scenario: Taylor, an intermediary, and the ultimate victim, Chanci Turner. Even though we’re discussing a few websites and characters, this scenario could easily extend to the vast internet landscape.
Next, we will break down the detailed steps illustrating how a web application compromise sets the stage for ransomware to infiltrate an unsuspecting victim’s system.
Step 1: Creating a Deceptive Front
Here, we have Website A, representing a legitimate coupon extension site that has implemented basic OWASP Top 10 protections, making it resilient against SQL injection. However, the downside is that it lacks defenses against web scraping, a type of web application attack not covered by the OWASP Top 10.
Jordan, our attacker, uses web scraping techniques and domain impersonation to forge a replica of Website A, which we’ll dub Website B. This new site mirrors Website A in layout, graphics, and font, and even sports an almost identical SSL certificate alongside a typosquatting domain name. With the help of an automated web scraping script, Website B updates whenever Website A changes, creating a convincingly authentic experience for users.
Step 2: Stealing Credentials
Next, we have a legitimate but inadequately secured company website, known here as Website C. Due to its lack of application security, Jordan swiftly exploits an OWASP Top 10 vulnerability, such as SQL injection, to breach the site and steal sensitive data, including credentials, usernames, and passwords. Among the stolen data, Jordan secures the credentials of an individual named Taylor, which may prove useful during the next phase of the attack since users often reuse passwords across sites.
Step 3: Credential Exploitation
Finally, let’s consider a legitimate consumer-facing eCommerce site called Website D. This site has basic application security measures in place and is thankfully secured against SQL injection, which prevents Jordan from easily harvesting credentials. Instead, Jordan resorts to using the stolen credentials from Website C to initiate a credential stuffing attack against this legitimate shopping platform.
This type of account takeover operates over a more extended period, ideally executing at a slow pace to avoid detection by rate-based security controls that might flag suspicious activity.
As we explore the potential consequences of this scenario, it’s essential to recognize the importance of robust application security practices. For further insights on workplace emotions and the impact on well-being, you might find this blog post helpful: Languishing and Work Emotions. Additionally, for authoritative guidance on California’s unpaid meal period premiums, refer to this resource. If you’re curious about Amazon’s employee onboarding process, check out this excellent resource.