Evolution of attacks on web resources: what has changed since 2011

How web resources were hacked in previous years

From 2011 to 2018, attackers sold access to hacked web applications on shadow forums. In 90% of cases, content management systems (CMS), CRM systems, as well as online web admin panels of servers and network equipment were targeted.

To find targets, the attacker used a list of registered domain names for the past year. It is quite simple to prepare such a list from open data, and then using crawler utilities like CMS-Finder, one can discover the URIs of web admin panels, the templating engines used, the versions of web interpreters, and so on.

As a result, the attacker obtained a list of target vulnerable web resources. At the next stage, this list was processed using harvester utilities, which automatically selected logins and passwords for admin panels and uploaded web shells (often WSO) to the servers of web applications. If versions of applications or web interpreters with known vulnerabilities were detected, basic exploits could also be applied.

Attackers also used fuzzer utilities: WebCruiser, SQLmap, XSSer, RouterSploit, and so on. They allowed sending hundreds of payloads with different web attacks to application servers — hoping that something would work.

As a result, the attacker gained persistent remote access to the compromised resource. The method is quite fast, allowing the attacker to run utilities in multiple threads, from different devices, and from different networks. Thus, in one day, it was possible to create 30-200 web shells on hacked sites and servers.

How attackers used the obtained access

To list all the ways of unauthorized use of such access, several separate articles would be needed. Let's focus on the most popular scenarios from 2011 to 2018:

1. Getting into the infrastructure, the attacker first tried to understand where he was: looked at configuration files, available rights, system and network interaction data. Corporate networks were mostly flat, without segmentation, servers were located in the local infrastructure. Therefore, the hacker could scan the infrastructure from the local network, apply some popular exploit to carry out an attack via SMB or RDP. As a result, he essentially created a map by which he moved further. If the hacked server was located in the company's local network, the attacker tried to scan network segments to escalate the attack to other devices and applications or try to escape from the container/virtual machine. If successful, he could develop a presence in the infrastructure, gain a foothold in it and, for example, create accounts with administrator rights.

2. One of the most common cases is database theft. Fuzzer utilities are able to find SQL injection opportunities on authentication pages, in search forms, etc.: union-based, boolean-based, time-based or even stacked queries. An attacker, even without much knowledge of SQL syntax, could find a vulnerability and automatically unload information for subsequent sale. At that time, many companies stored passwords in plain text directly in databases, as a result, attackers could get the entire array of credentials, emails, nicknames, which could then be used for credential stuffing or brute force attacks.

3. When a stored XSS vulnerability was discovered, it became possible to carry out attacks on users. For example, attackers actively used the BeEF framework - a legitimate pentesting tool that in the wrong hands allowed a malicious JavaScript library to be embedded in a compromised page. After that, visitors to the site opened access to their data to the attackers. However, this technique only worked fully against vulnerable versions of the browser, and the connection was interrupted when the tab with the hacked site was closed.

   This is exactly how the SPRUT group operated in 2015. The attackers wrote their own crawler with a fuzzer that searched for and tested web applications for stored XSS vulnerabilities or the possibility of RCE at the file editing level of the site. BeEF was used to generate a payload in the form of a JavaScript file, which SPRUT embedded in the pages of the web application.
   
   To prevent the attack from being interrupted when the victim closed the page, the attackers wrote a malicious plugin for different browsers that showed a notification offering the user to install the addon. If users did not understand the logic of the attack and simply clicked the classic "OK", the malicious JS library remained in the browser's memory, allowing the attackers to maintain the connection.
   
   Thus, SPRUT was able to infect more than 100,000 devices and combine them into a web botnet to steal and sell user data.

4. Another option for spreading malware is to replace objects of compromised web applications so that when accessing them, the victim receives a malicious file on their device. This is exactly how the well-known Zeus botnet and the Carberp banking trojan with a bootkit on board worked.

5. An attacker could use ransomware to encrypt important web application data and demand a ransom from the owner. In addition, he could not deliver the ransomware himself, but again put access to the vulnerable infrastructure up for sale.

6. Access to the server allowed embedding a script miner into web pages so that visitors would mine cryptocurrency for the attacker. In some cases, the miner could be launched on the main server of the web application.

7. If a cybercriminal managed to create several web shells, they could be combined into a botnet - utilities like Web Shell Manager were used for this. Subsequently, such botnets were used to provide DDoS services or sold on shadow resources, where they were acquired, for example, by owners of larger botnets who needed replenishment.

8. Hacktivists, who did not care about money, often used the access they obtained to deface the hacked resource (replace the original content with an announcement, message, picture, or something similar). Such attackers were more likely chasing reputation and trying to imitate movie hackers.

What has changed in recent years

In 2024, more and more organizations and private website owners are hosting web applications with hosting providers. Even if an attacker breaches the web application, they will not be able to transfer the attack to the internal infrastructure.

In addition, the architecture of web applications has changed significantly. Firstly, it has transformed from monolithic to microservice, and the compromise of one module does not always lead to the hacking of the entire system. Secondly, request routing, which used to be based on files, is now organized by frameworks. Finally, thirdly, companies that do not need complex web resources now use SPA business cards (single page application). Such sites do not even have a backend — there is nothing for attackers to break.

Now attackers are less likely to find a vulnerable server with an outdated CMS or an open port. Scanning attempts encounter WAF and isolated segments, making it incomparably more difficult to penetrate the internal infrastructure than before. As a result, the previously existing model — hack the host, gain a foothold, and sell access — has lost its relevance.

What are the current goals of attackers

In contrast to the attackers of past years, today's cybercriminals strive to leave the compromised server as quickly as possible. Their behavior model is "hacked - downloaded data - left". In rare cases, groups try to break through from the application further into the infrastructure and gain a foothold. As mentioned above, most of today's web systems are located in isolated segments and on external hosting, so no one knows if there is any practical sense in trying to get out of these segments.

That is why hackers try to quickly download data and disappear, not risking being detected and losing access prematurely. The stolen data is then put up for sale or made publicly available if it is a matter of hacktivism or politics. For example, databases with password hashes are sold on shadow forums - passwords can be brute-forced and subsequently used for credential stuffing. This is a very popular attack technique, as users often use the same passwords on different resources. If one site "leaks", the accounts of other platforms are at risk.

In addition to data theft, a hacked website can be used as hosting. Malicious software is placed on compromised resources to be used later, for example, in phishing campaigns. Such activity is easier to hide from cybersecurity systems: it is one thing when a user downloads an unknown file from a known domain, and quite another when they access some random host.

What methods are used in modern attacks

As a result, as we can see from the statistics of cyberattacks on BI.ZONE WAF clients, more than half of the cases of malicious actions against web resources are related to attempts to exploit remote code/command execution (RCE) vulnerabilities. The reason for this popularity is that RCE allows you to quickly gain remote access to the server and establish full control over it with the possibility of almost any attacks.

According to our own honeypots, attackers are now using such web attack techniques as command injection, server-side template injection (SSTI), stacked queries SQL injections, remote file inclusion (RFI), local file inclusion (LFI), shell file uploading, code injection, XML external entity (XXE), insecure deserialization, cross-site scripting (XSS). All of them, except the last one, can create an RCE threat. Finally, attempts to exploit widely known CVEs remain relevant.

The popularity of these methods is directly related to the fact that many powerful EASM tools (external attack surface management) have appeared in public free access. They are designed for continuous penetration testing and essentially perform the tasks of a junior pentester, allowing you to fuzz and scan web applications and network ports, identify vulnerabilities and exploit them. The most popular utilities are Acunetix, NetSparker, Nessus, Nuclei, NMAP (with NSE scripts), Metasploit Pro, Exploit Pack Premium, Burp Suite Enterprise.

Now, for the successful implementation of attacks, it is enough for the attacker to "feed" the tool a list of targeted hosts and calmly go have tea while the utility itself determines and applies vulnerabilities. Many major cyberattacks of recent times — let's not specify which ones exactly — started precisely with banal credential stuffing or brute force.

Conclusion

In 2024, 87% of cyberattack cases are related not to ensuring unauthorized access, but to information: databases, confidential files, authorization data (email addresses, logins, passwords, full names), materials from corporate and government systems.

Even if some web application attack techniques remain relevant, the goals of attackers have fundamentally changed. Our research on activity in shadow forums shows that only 2 out of 10 offers are related to selling access via web shells. The rest are trying to make money on data that can later be used for phishing, credential stuffing, brute force, and similar attacks. And the sale of remote access for long-term retention on the web application server has lost its meaning.