Alibaba Cloud Security releases situation awareness report warning for database hit attacks in 2015

This report focuses on the security problems faced by cloud computing users in the data center, including advanced continuous threats, targeted Web application attacks, system-oriented brute force cracking, and host malicious files.

At the same time, I shared my research and findings on internet Web security in 2015, focused on the analysis of the new threat-"credential stuffing" attack, and issued a credential stuffing attack warning.

 

New Web website intrusion means-"credential stuffing" favored by attackers

 

Overall, the internet Web security situation in 2015 is not optimistic. According to the report, Web application attacks are on the rise, with the number of attacks exceeding 8 billion in the year. Statistics by quarter, from less than 0.6 billion times/month in the first quarter to more than 0.8 billion times/month in the fourth quarter. On the Double 11, Web application attacks reached the peak of 80 million times/day in the year.

Figure 1 Web application attack trend

 

Specifically, the Alibaba Cloud Security team analyzed a large amount of attack data and cases and found that a new Web website intrusion method, "credential stuffing", was gradually favored by attackers, it deserves the attention and prevention of cloud computing users.

Library hit attacks are commonly called "social engineering database" (containing hundreds of millions of user names and logon passwords) on the internet. Hackers constantly attempt to log on to the logon interface of website users, once the matching is successful, you can access the user system. Although it looks like a lottery ticket on the surface, the success rate is substantially higher than that of traditional brute-force cracking attacks with the continuous improvement of the scale and precision of the social engineering database.

Currently, the number of database hit events monitored by Alibaba Cloud security system reaches thousands per day. On average, each attack event includes thousands of database hit login requests. In these events, there are still several 100,000 pairs after account and password combinations are de-duplicated, which shows that attackers already have a complete and huge social engineering database.

 

The financial and gaming industries are the hardest hit by hacker attacks

In the past year, the top three industries that frequently experience credential stuffing attacks are finance (19.68%), community forums (16.03%), and games (13.87% ), almost half of all attacks were followed by audio and video entertainment, education, news, advertising, tourism and other industries.

Figure 2 Distribution of credential stuffing websites

 

Alibaba Cloud security experts predict that with the booming Internet finance in 2016, financial websites may still be the primary target of hackers. As a result, credential stuffing attacks on financial websites will increase and the risk situation will increase.

 

Ignore situation awareness alerts when a customer suffers a database hit attack

At the end of 2015, the Alibaba Cloud Security team received help from users. A large number of user accounts on its website were maliciously logged in, and some of the user account vouchers and balances were consumed by hackers.

Security experts immediately cooperated with the customer for security response. In the Alibaba Cloud Security Situation Awareness system, they found that they had detected a database hit attack from hackers, with millions of requests. The customer believes that the login page has added a verification code challenge to defend against automatic script login by hackers, ignoring the possibility of database hit attacks, this allows you to ignore alerts from situation awareness.

After further in-depth investigation, hackers hold millions of user accounts and plaintext and password databases, which are related to data leakage of a previous Portal.

At the same time, hackers purchased a large number of proxy servers, bypassing the website's restrictions on the number of logins and risk control policies. As a result, in the view of website administrators, it is difficult to detect exceptions when different users log on. The most critical point is that hackers use the CAPTCHA human bypass platform, which provides artificial or intelligent verification code recognition technology. Hackers only need to pay a certain fee to crack the verification code efficiently.

 

 

Figure 3 Database hit attack process sorted out by security experts

 

Ye Min's explanation: how to better defend against hacker credential stuffing attacks

Ye Min, leader of Alibaba Cloud Security's defense team, believes that "Database hit attacks are simple on the surface, but hackers rely on high-efficiency scanning software (software for automated login attempts ), you can use dozens of account and password combinations every second to try to log on. You can try nearly 0.1 million account and password combinations within one hour. The potential risk is still quite high"

Compared with traditional brute-force cracking attacks, the username and password used for credential stuffing are a combination that has been used by others and is highly likely to be used again. Compared with another brute-force cracking attack that uses similar attack methods, the account and password combination of the database hit attack is more accurate than the brute-force cracking dictionary, therefore, attacks are much more efficient and effective than brute-force cracking."

In fact, the "credential stuffing" attack is only one of the representatives of many new security threats in the context of the ever-changing Internet and cloud computing security development. For the defense of such attacks, the attacking party has made great strides in terms of both the richness of the means, the openness of the attack source, and the improvement (automation) of the attack efficiency, traditional feature-based blocking and defense strategies are no longer suitable, and data-driven security has become a consensus, threats can be viewed and handled only when large-scale security data is effectively mined, associated, and analyzed.

From the user's standpoint, whether it is machine learning to automatically detect abnormal behaviors, or big data technology to improve scalability, flexibility, and processing performance, these "advanced" means aim to reduce the cost of processing complicated data sources, rules, and events and benefit the IT operation department.