Barracuda Warns of Exploitation of Web Application Vulnerabilities and Misconfigurations

A new Threat Spotlight report from Barracuda, a trusted partner and leading provider of cloud-first security solutions, highlights how attackers are exploiting web application vulnerabilities and misconfigurations to extract valuable data.

Barracuda mitigated more than 18 billion attacks against applications during 2023, including 1.716 billion in December alone.  The new report provides a deep dive into the web application incidents detected and mitigated by Barracuda Application Security during December 2023, focusing in on attacks identified by the Open Worldwide Application Security Project (OWASP).

Web applications are computer programs accessed via web browsers, which include productivity tools like Microsoft 365 or Google Docs / Gmail. They are a prime target for cyberattack, according to Verizon’s Data Breach Investigation Report (DBIR), which found that web apps were used in 80% of security incidents and 60% of breaches in 2023.

Barracuda’s recent Threat Spotlight shows that most attacks on web applications targeted security misconfigurations – such as coding and implementation errors (30%), while 21% involved code injection, where an attacker injects a code that is then interpreted / executed by an application. According to Barracuda, these include not just SQL injections, which are designed to steal, destroy or manipulate data, but also Log4Shell and LDAP injections, which are used in privilege management, such as supporting Single Sign-On (SSO) for applications.

Barracuda also highlights that bot attacks on web apps were also popular during 2023, with a majority (53%) being used for volumetric Distributed Denial of Service (DDoS) attacks. According to the report, these attacks use IoT devices and are based on brute force techniques that flood the target with data packets to use up bandwidth and resources. Such attacks can be used as a cover for a more serious and targeted attack against the network.

Commenting, Tushar Richabadas, Principal Product Manager, Application Security, Barracuda, said: “Web applications and APIs are lucrative attack vectors for cybercriminals – and they are coming under increasing attack.

“Defenders are hard pressed to keep up with the growing number of vulnerabilities. They have to contend with both zero-days and older vulnerabilities. The software supply chain for critical apps may also have vulnerabilities – as demonstrated by the Log4Shell vulnerability.

“It must be remembered that attackers will often target old vulnerabilities that security teams have forgotten about to try and breach an overlooked, unpatched application and then spread into the network,” he said.