After watching the recent trend of Gumblar and its method of exploitation, you really have to ask yourself "How the hell do you protect your customers from this". Yes, their sever is compromised, But did it occur from a Web Application Vulnerability. Chances are the answer is "No". The majority of cases that I have seen from this recent trend, are all exploited through obtaining the FTP user credentials from a webmaster through their compromised workstation loaded with malware.
Now sitting back and thinking about this method of attack, you can really identify a lot of benefits to this type of exploitation.
1. You could technically compromise a completely secure web application and server. (ya I know, I am being loose on the word secure web application here)
2. For the most part, even if you remove the malicious links, you still need to track down the workstation that is compromised, which would result in a high probability of future compromise.
3. Once the infected workstation is detected, can you really do anything to secure it from this type of attack occurring again?
4. How long are these malicious urls up on the website before a trend is found and is flagged in an application such as Google Safe Browsing?
Sitting back and thinking about this, it is now a little easier for me to understand why an attacker with full FTP credentials to a website, would only go as far to place a small malicious link on their victims pages. There is no complete defacement, and no attempt to discover sensitive information on the webserver. From this you can easily discover the motivation for this type of attack. MONEY!.
I will just link to my last post that contains best practices to assist with prevention and increase security. Here
4 weeks ago
Posts
0 comments:
Post a Comment