2 posts from December 2013
December 18, 2013
 Website Traffic is Tipping in Favor of Automated Clients
Pin It

IStock_000019628807SmallIncapsula, Imperva’s subsidiary focused on cloud-based application security, just released its annual Bot Traffic Report for 2013 that analyzed 1.45 Billion visits over a 90 day period; concluding that automated web traffic is on the rise. Traffic from these bots now makes up as much as 61.5% of all website traffic, which is an increase of 21% from last year’s report. This automated traffic includes good bots such as search engines as well as malicious traffic like site scrapers, hacking tools, comment spammers and other homegrown bots.

One potential contributing factor is the continued proliferation web services. New online services are being created at a record pace, bringing with them new bots scouring the internet for information.  As these bots crawl the internet, they bring with them bandwidth consumption and service degradation.


Another possible explanation is that botnet creators are developing new tools and infecting bots with increasingly ingenious social engineering tactics.  Brian Krebs of Krebs on Security, released a blog post this morning dissecting a new malicious Firefox plugin that infects PCs and automatically probes any websites visited with the infected browser for SQL Injection vulnerabilities and then reports the results back to the botnet’s control center.  As of the time of writing, this botnet had already infected more than 12,500 systems, illustrating how easy it is for today’s botnet farmers to assemble powerful networks of infected computers.

With web services being increasingly weaved into the fabric of our online lives, and botnets growing in size and sophistication, it is likely that this trend of automated web traffic will show no signs of abatement in the near future.


December 11, 2013
 HII: Assessing the threat landscape of DBaaS
Pin It

CloudOver past few years we’ve seen an ever-growing tide of data breaches with reports of new breaches coming out almost every day. Having said that, there are still very few published details on how actual data exfiltration happens. This is mainly due to the fact that organizations that have been breached are hesitant to share information other than what they are obligated to share by law.

As a result, while there is quite a lot of information on how endpoints become infected as well as on what the Command and Control (C&C) communication looks like (IP reputation, etc.), there is almost none on what the threat looks like from enterprise data center point of view. There are lots of discussions about the need to share information, and for a good reason. Unfortunately, these discussions have not necessarily translated into actual sharing.

Lack of insight greatly hampers the ability to develop effective security measures. Statistics are always open to interpretation, and because the security industry is left to reply on statistical analysis, security strategies are often left with a gaping hole.

To fill that void, we constantly conduct research to understand the properties of potential threats to data centers. Our latest Hacker Intelligence Initiative report, “Assessing the Threat Landscape of DBaaS” is the latest result of this research initiative.

What does DBaaS has to do with it?

Data centers are no longer confined to the enterprise perimeter. More and more enterprises take their data to the cloud, but forget to adjust their risk management practices when doing so. The recent MongoHQ breach is just one example of this type of oversight.

While we didn’t find malware that directly attacked a database, our research did find and analyze malware with a module able to connect to Microsoft MSSQL. Moreover, the research found that this malware was used to automatically connect to MSSQL cloud service for both C&C and data exfiltration purposes.

As an interesting side note, we also stumbled upon a cool sample after the writing of this report: malware that brought its own MySQL dll library to the infected machine. This fact correlates with our assessments of growing trends in data center security threats.

What’s in the Report?

The report shows how attackers took advantage of hosted database services in order to set up their own C&C and Drop servers. The servers lead us to some interesting insights about the advantages of using “malicious” hosted data-stores, and the risks they present to legitimate users. For example, enterprises need to re-asses the severity of database vulnerabilities in a hosted environment.

Analyzing the attackers data-store also revealed interesting points. For example, the targeting of business platforms. In conclusion, we predicted what we believe are growing trends in the data-store threat landscape.

Where can I learn more?

  1. Our Hackers Intelligence Initiative (HII) report, can be found here
  2. The Blog on the MongoHQ breach, here
  3. A Forbes article, looking into the DBaaS trend, here
  4. An Oracle user group research, covering what users are really doing with audit and security problems, here 



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: