Basic Web Application Attacks

Basic Web Application Attacks (BWAA) primarily concentrate on assaults targeting an organization’s most vulnerable infrastructure, like Web servers. These incidents exploit one of two entry points: the use of stolen credentials or the exploitation of a vulnerability. Attacks in this category are divided into two parts. The first involves the methods of accessing the server, such as using stolen credentials, exploiting vulnerabilities, and brute-forcing passwords. The second involves the specific payload, like backdoors, used to maintain persistence or monetize access.  

More than 80% of breaches in this category are due to stolen credentials. Figure 55 highlights the broader trends between utilizing stolen credentials and exploiting vulnerabilities. Since 2017, there has been an increase of nearly 30% in stolen credentials, establishing it as one of the most reliable methods for accessing an organization over the past four years.

The majority of Web application incidents involve the use of stolen credentials. There are also other methods, such as Backdoors (useful once a foothold is established), Remote injection (used to introduce malware after a vulnerability is exploited), and Desktop sharing software.

Web application server attacks are highly prevalent, as are attacks on Mail servers, which accounted for less than 20% of total breaches in this category. Among these Mail servers, 80% were breached using stolen credentials, and 30% were compromised through some form of exploit. Although 30% might not appear to be a very high figure, the use of exploits to target mail servers has surged significantly since last year, when it made up just 3% of the breaches.

It would be understandable to think that such attacks are primarily carried out by opportunistic criminals scanning the internet for vulnerable credentials. However, it appears that nation-state actors are also exploiting this cost-effective, high-reward strategy, with over 20% of our BWAA breaches linked to espionage. When the front door has a weak lock, there's no need to create a complex polymorphic backdoor with a rapidly changing network of C2 servers.