Hackers Exploit Vulnerabilities and Blackmail Companies

Belgian credit provider Elantis is facing a blackmail situation from hackers who threaten to publish confidential customer data online if the company does not pay $197,000 dollars before Friday, May 4.[1] The hackers are calling this threat an idiot tax because Elantis left confidential customer data unprotected on Web server.

This threat reinforces the Websense warning that I mentioned last week (see Preparing for Multi-Staged Attacks). Current server attacks use dynamic attacks that search out server vulnerabilities and then seek to exploit those vulnerabilities. Elantis has been exposed with a gaping vulnerability, and even if the situation is resolved, the company’s reputation has still been damaged.

Companies face the daily challenge of targeted attacks that seek to exploit specific vulnerabilities within the network. CSO Online offers 10 web application logic flaws that hackers love to exploit. As you consider your company’s network security and potential vulnerabilities, it might be worth rehearsing and reviewing these commonly exploited weaknesses.

Prior to systems release engineers need to perform an analysis and testing of system, seeking to detect weak authentication or access policy failures. Systems should routinely be tested for bypass authentication and escalating privileges vulnerabilities. At the same, businesses need to utilize dynamic and evolving testing models that can adapt to the ongoing evolution of application attacks.

1. Authentication flags and privilege escalation
Hackers like to exploit authorization vulnerabilities within applications.

2. Critical parameter manipulation and access to unauthorized information/content
A direct attack on authentication or authorizations systems may involve manipulation of values within the Web forms or in the parameters posted to the server. Tests involve identifying easy to guess values, and testing to see if by changing parameter values users can gain unauthorized access. Another key to remember is not exposing authentication state in URLs or client-side scripts.

3. Developer’s cookie tampering and business process/logic bypass
Hackers may attempt to reverse engineer cookies and impersonate a valid user. All session and cookie data should be sent over encrypted channel.

4. LDAP parameter identification and critical infrastructure access
An attacker may alter the LDAP statement causing a process to run with same permissions as the component that executes a command. If the application fails to do proper validation this LDAP injection, the attacker can issue arbitrary commands like granting permissions. This attack succeeds when the logic fails to properly sanitize user inputs on the server side.

5. Business constraint exploitation
If the business logic of an application is poorly designed, an attack may be able to crawl through rules and constraints. Hidden parameters and values must be tested by checking business-specific calls that can become a target and manipulated.

6. Business flow bypass
An attacker may bypass application flow, seeking to identify critical backend data.

7. Exploiting client-side business routines embedded in JavaScript, Flash or Silverlight
Attackers may seek to reverse engineer the logic in these client-side business applications, looking for logic for cryptography algorithms, credential storage, privilege management and other security.

8. Identity or profile extraction
Attackers make seek to identify token parameters in poorly designed and developed applications, opening up the potential for abuse and systemwide exploitation.

9. File or unauthorized URL access and business information extraction
If a business application that supports file export functionality is poorly designed, it may allow for assess leakage that attackers may seek to exploit.

10. Denial of service (DoS) with business logic
Exploiting denial-of-service vulnerabilities within business applications is a common and serious attack that can stop an application and exploit application loopholes.

[1] Lock Essers. “Hackers blackmail Belgian bank with threats to publish customer data.” CSO Online, May 3, 2012 http://www.csoonline.com/article/705601/hackers-blackmail-belgian-bank-with-threats-to-publish-customer-data?source=rss_data_protection>