Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers

Vulnerability Overview On August 25, 2021 a security advisory was released for a vulnerability identified in Confluence Server titled “CVE-2021-26084: Atlassian Confluence OGNL Injection”. The vulnerability allows an unauthenticated attacker to perform remote command execution by taking advantage...

CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin

On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 S2-0481. Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable. Once again, this vulnerability enables a Remote Code Execution RCE, which is the most commonly exploited Apac...

Deserialization Attacks Surge Motivated by Illegal Crypto-mining

Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year. Our analysis shows that, in the past three months, the number of deserialization...

Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082

On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution RCE when used in tandem. It is important to note that both require authenticated acces...

CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin

Just two months ago we published an analysis of a critical remote code execution RCE security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability September 5, 2017. CVE-2017-9805 is a vulnerability in Apache Struts related to...

Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF

On June 18, 2020, the Australian Cyber Security Centre ACSC released a disclosure detailing a ‘sophisticated’ and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the BBC, and the Guardian. The following...

The State of Web Application Vulnerabilities in 2017

As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate...

The Resurrection of PHPUnit RCE Vulnerability

Once a software patch is released, we tend to believe it means “problem solved”. Most of the time, however, this is not actually the case. Fully solving the problem requires all developers to grab the latest patch version and deploy it in their environment. Since upgrading isn’t an especially...

Read: Apache Struts Patches ‘Critical Vulnerability’ CVE-2018-11776

On August 22, Apache Struts released a security patch fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 S2-057 and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability was responsibly disclosed by Man Yue Mo fro...

Drupalgeddon 2.0: Are Hackers Slacking Off?

Ever since March 28th, when Drupal published a patch for a RCE named Drupalgeddon 2.0 SA-CORE-2018-002/CVE-2018-7600, Imperva has been monitoring our cloud looking for hackers’ attempts to exploit the vulnerability, but found nothing. Until today. It somehow seems fitting that nefarious activity...

RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits

Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks hold roughly 90% of all remote code execution attacks in web applications. Having said that, all of the attacks we have seen so far, were somewhat...

The World’s Most Popular Coding Language Happens to be Most Hackers’ Weapon of Choice

Python will soon be the world’s most prevalent coding language. That’s quite a statement, but if you look at its simplicity, flexibility and the relative ease with which folks pick it up, it’s not hard to see why The Economist recently touted it as the soon-to-be most used language, globally...

The State of Vulnerabilities in 2019

As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more,...

Imperva’s Top 10 Blogs of 2017

I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy!...

Bug hunting for a quick buck using WebLogic vulnerability (CVE-2020–14882)

Introduction Popular within the commercial sphere, Oracle WebLogic Server is a scalable enterprise Java platform application server for Java-based web applications. When a vulnerability is discovered in WebLogic, hackers will try to exploit it ASAP. And it’s not only hackers - bug hunters also wa...

New DDoS Attack Method Demands a Fresh Approach to Amplification Assault Mitigation

Amplification attack vectors are some of the most commonly used tools in the DDoS attacker’s arsenal. In the last quarter of 2017, we saw NTP amplification employed in roughly 33 percent of all DDoS assaults against our customers, while DNS and SSDP amplification vectors played a part in 17 perce...

Keeping Your WAF Relevant: Emergency Feed Pushes New Mitigations in Just Hours

We previously reported that the overall number of new web application vulnerabilities in 2017 showed a 212% increase from 2016’s 6,615 to a whopping 14,082. This spike was due, in part, to high-profile vulnerabilities like Heartbleed, Shellshock, POODLE, Apache Struts 2 and more recently, Meltdow...

Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events

On October 22, security researcher Omar Ganiev published a tweet regarding remote code execution vulnerability in PHP-FPM the FastCGI Process Manager running on the Nginx server. The tweet includes a link to a GitHub repository with an explanation of the vulnerability and a PoC proof-of-concept f...

Imperva Mitigates Exploits of Citrix Vulnerability – Right Out of the Box

On December 17, Citrix issued a Security Bulletin on an unauthenticated remote code execution vulnerability CVE-2019-19781 affecting its Citrix Application Delivery Controller ADC - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway. At the time of the...

Clustering App Attacks with Machine Learning Part 3: Algorithm Results

In the previous blog posts in this series, we discussed the motivation for clustering attacks and the data used and how to calculate the distance between two attacks using different methods on each feature we extracted. In this final blog post, we’ll discuss the clustering algorithm itself – how ...

The State of Web Application Vulnerabilities in 2018

Jan. 12 update: Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions. As a web application firewall provider, part of our job at Imperva is to continually...

CVE-2023-26360 – Adobe ColdFusion Arbitrary Code Execution

On March 14, 2023, Adobe released a security advisory affecting Adobe ColdFusion versions 2021 and 2018. The vulnerability was categorized as improper access control, potentially resulting in arbitrary code execution. The exploitation of this issue does not require user interaction. No PoC has be...

Apache Struts, RCE and Managing App Risk

People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. “Problem” and “solution” imply that there is a definitive “solve.” Cybercrime isn’t a technical problem that can be definitively solved. It is an inherent business ris...

Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures

Introduction On 2 March 2021, Microsoft and Veloxity produced disclosures outlining the discovery of four zero day vulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been attributed a severity rating from high to critical, however the most...

How Imperva’s New Attack Crowdsourcing Secures Your Business’s Applications

Attacks on applications can be divided into two types: targeted attacks and “spray and pray” attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization’s IT stack and application layers. Targeted...

Personalized Customer Support that Garners a Personalized Thank You

In my two-plus years as a Technical Support Engineer at Imperva, I’ve handled a wide variety of customer cases. And I’ve had the satisfaction of helping resolve them quickly and successfully. But never before have I received a handwritten thank you note from an effusive customer. Let me start at...

CrimeOps of the KashmirBlack Botnet – Part II

Introduction The previous blog - “CrimeOps of the KasmirBlack Botnet - Part I” - described the DevOps behind the botnet. It showed how its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort,and explained the evolution and version deployment o...

How Reputation Intelligence Improves Application Security

Reputation intelligence is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall WAF. It provides an additional application security layer by effectively identifying and blocking threats from...

SQL Injection Attacks: So Old, but Still So Relevant. Here’s Why (Charts)

We’re living in the Golden Age of data. Some companies analyze it to better themselves, others trade it for profit, none give it up freely due to its value — for their business, and for criminals, as well. SQL Structured Query Language is an extremely popular way to communicate with databases...

Imperva Protects from New Spring Framework Zero-Day Vulnerabilities

New zero-day Remote Code Execution RCE vulnerabilities were discovered in Spring Framework, an application development framework and inversion of control container for the Java platform. The vulnerability potentially leaves millions of applications at risk of compromise. In two separate...

Simple Trend and Anomaly Detection with SQL

Introduction Have you ever wondered if you can detect highlights based on your data using only your database engine? Well, the answer is yes. Simple trend detection and anomaly detection can be done with SQL. In fact, in many cases it may be enough for your needs, and save you the trouble of usin...

5 Ways Your Software Supply Chain is Out to Get You, Part 2: Exploit Third Party Applications

In Part 1 of this series, we explained how and why our software supply chain transfers an extraordinary amount of risk downstream to the organizations and users that trust and depend on it. We also presented evidence suggesting that 2021 may well be the year of the Software Supply Chain attack...

Attacks Spike Following The Disclosure Of CVE-2021-22986: F5 Networks BIG-IP iControl Remote Command Execution Vulnerability

On March 10th F5 published a security advisory containing twenty one CVEs, the most critical one CVE-2021-22986 can be exploited for unauthenticated remote code execution attacks. In the past week, several security researchers have reverse engineered the Java software patch published by BIG-IP an...

Python Cryptominer Botnet Quickly Adopts Latest Vulnerabilities

Over the last few days, Imperva researchers have monitored the emergence of a new botnet, one whose primary activity is performing different DDoS attacks and mining cryptocurrency. It also acts as a worm trying to extend its reach by scanning specific subnets and ports and using different remote...

Five Tips for Getting Started with Scuba Database Vulnerability Scanner

Scuba is a free tool that scans leading enterprise databases for security vulnerabilities and configuration flaws, including patch levels, that allows you to uncover potential database security risks. It includes more than 2,300 assessment tests for Oracle, Microsoft SQL Server, SAP Sybase, IBM D...

What to do when your business has been hacked

You might be here because the unthinkable has happened so let’s get straight into this, step by step: Immediate containment. Inform stakeholders. Inform law enforcement. Implement your disaster recovery plan. Analyze and future proof. Early warning signs may be unusual user-account behavior, slow...

CVE-2018-6389 WordPress Parameter Resource Consumption Remote DoS

Yesterday Monday, February 5, 2018, a zero-day vulnerability in WordPress core was disclosed, which allows an attacker to perform a denial of service DoS attack against a vulnerable application. The vulnerability exists in the modules used to load JS and CSS files. These modules were designed to...

Logging: A Deep Dive

Our RASP product At Imperva our team builds a product called RASP which stands for Runtime Application Self Protection. As indicated by the name, it is a security product which plugs directly into the runtime of an application in order to provide a similar and complementary set of capabilities as...

Bad bot activity on sports betting websites rises during Euro 2020

Across Europe, the EURO 2020 tournament captivated fans over the past month, with Italy ultimately defeating England to take home the cup on July 11. As fans eagerly watched the matches, Imperva Research Labs was busy monitoring activity that wasn’t happening on the playing field -- but across a...

5 Ways Your Software Supply Chain is Out to Get You, Part 4: Dependency Confusion

Previously, we discussed how three kinds of supply chain attack methods, Vendor Compromise, Exploit Third Party Applications, and Exploit Open Source Libraries are threatening software supply chains, passing risk downstream to the organizations and users that trust and depend on them. In this...

Five Common Myths about Ransom DoS Attacks

Did you know that 86% of organizations surveyed in CyberEdge’s Cyberthreat Defense Report this year were compromised by cyberattacks? Since the first known incident in 1989, ransom DoS attacks have become increasingly sophisticated over time. If you are not well versed on the potential threats th...

Data Privacy – Now’s the Time for the US to Catch Up

The recent Netflix documentary, The Social Dilemma, may have highlighted to many Americans just what happens to the wealth of personal information they regularly - and willingly - share online. It may be especially concerning, then, to know that companies in the United States aren’t required by...

Two New Account Frauds You Should Be Investigating

Account Takeover is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else. Also known as brute force login, dictionary attack, credential stuffing, or credential cracking. If successful, the aftermath entails many unpleasant implications for...

Know your enemy! The four types of cyber attackers trying to breach your security today

As business needs compel organizations to manage an ever-increasing number of database types, both on-premise and in the cloud, the threat surface has also become larger and far more difficult to manage effectively. The bad actors out there know this, too. They are constantly probing, testing, an...

2021 in Review, Part 2: 5 Top Cybersecurity Stories

Ransomware may have dominated headlines in 2021, but it’s only one of many threats security teams must protect against. We’re taking a look back at 5 top cybersecurity stories of 2021 that practitioners wanted to learn more about. 5. The State of Security in eCommerce Why you should learn more...

The 3 Biggest DDoS Attacks Imperva Has Mitigated

Imperva has just released the DDoS Threat Landscape Report Q1 2022. Download it now to familiarize yourself with new threats and get detailed information about current DDoS attack patterns and their potential impact on your business. So far, 2022 has been a brutal year for DDoS attacks and we see...

Why adopt a data-centric solution for data privacy?

Enterprises understand the importance of having access to their consumers personal information. This data enables them to more easily build personal relationships with their audiences, using what they know about that audience to provide tailored experiences and recommendations. The internet has...

5 Ways Your Software Supply Chain is Out to Get You, Part 5: Hostile Takeover

We have come to the fifth and last part of this blog series on software supply chain attacks. Previously, we discussed four notorious supply chain attack methods, Vendor Compromise, Exploit Third Party Applications, Exploit Open Source Libraries, and Dependency Confusion and provided insight into...

Log4Shell log4j Remote Code Execution – The COVID of the Internet

The Log4Shell zero day vulnerability is truly one of the most significant security threats of the past decade and its effects will be felt far into 2022 and beyond. Imperva has observed over 102M exploitation attempts across thousands of sites protected by Imperva Cloud Web Application Firewall...

Security for Amazon Redshift

We’ll show you how to set up basic monitoring of AWS Redshift using their native security features, including how to set up a Redshift instance, creating S3 buckets, and shipping the audit logs to Cloudwatch. Basic security for Amazon Redshift can be accomplished through standard AWS security...