How to detect & stop vulnerability scanning attacks.

Vulnerability scanning is the automated process of identifying security weaknesses in network devices or applications. While most companies run vulnerability scans on their own assets for security purposes, cybercriminals can also run vulnerability scans on your websites, mobile apps and APIs looking for weaknesses they can exploit.

Learn how bot-driven vulnerability scanning attacks are used against e-commerce businesses, who is behind such attacks and why, how vulnerability scanning attacks unfold, the most common defense tactics against vulnerability scanning, and in what ways DataDome can protect you against malicious vulnerability scanning and all other automated OWASP threats.

Summary

1. About Malicious Vulnerability Scanning
2. Who uses malicious vulnerability scanning, and why?
3. The Anatomy of a Vulnerability Scanning Attack
4. Common Defense Strategies
5. How DataDome Protects Against Malicious Vulnerability Scanning

About Malicious Vulnerability Scanning (OAT-014)

Definition

Vulnerability scanning (OWASP automated bot threat OAT-014) is an e-commerce threat that uses bots or web crawlers to identify security weaknesses in your website and underlying architecture. These weaknesses can then be targeted by bot operators.

Evolution

Starting in July of 2001, Code Red was the first widespread malicious vulnerability scanning program, which scanned the Internet to find and infect vulnerable systems. According to Kaspersky, 55% of all malware in 2001 consisted of malicious programs that took advantage of system vulnerabilities. The increase in vulnerability scanning attacks was due to a shift away from classic procedures where the user had to trigger the infection process. Code Red II, Nimda, and Klez were malicious vulnerability detection and exploitation tools that evolved from the creation of the original Code Red program. Since then, vulnerability scanning has become a ubiquitous attack technique.

Statistics

Vulnerability scanning and later exploitation is the cause of one in three data breaches. Around 60% of organizations suffered a data breach because of unpatched vulnerabilities.

Famous Breaches

In 2017, Equifax experienced a data breach when a cybercriminal located and exploited a vulnerability in the Apache Struts web application framework, resulting in the exposure of personally identifiable information (PII) of more than 150 million U.S. consumers.

More recently, in February 2020, Australian market analysis company Tetrad also suffered a data breach. A misconfigured Amazon S3 bucket enabled a hacker to gain  access to information on about 120 million households and businesses. The information included names, addresses, spending habits, and more—and even though the vulnerability was patched in a week, the damage had already been done.

Who uses malicious vulnerability scanning, and why?

Malicious actors use vulnerability scanning tools to find exploitable security weaknesses in your website stack. Once hackers locate possible vulnerabilities, they then execute attacks to gain control of both your system and customer accounts—as well as access sensitive data, such as skimming customers’ payment card information to commit acts of fraud.

The Anatomy of a Vulnerability Scanning Attack

Malicious vulnerability scanning attacks involve three main phases:

• Target URL addresses, parameter values, and payloads: Attackers identify target websites and configure parameters and payloads for vulnerability reconnaissance.

• Run vulnerability scanning processes: Bots investigate both known and unknown content locations, paths, and filenames for security weaknesses (e.g. vulnerable content management systems (CMS) and components).

• Identify and exploit security vulnerabilities: Once the attackers identify security vulnerabilities, they can attack however they want. Common attacks include malicious payload installation, account takeover, sensitive information theft and exploitation, and more.

Common Defenses Against Vulnerability Scanning Attacks

Common defense methods against malicious vulnerability scanning can involve:

• Hardening the security of your website infrastructure and network devices.
• Disabling technology and features that you no longer use or that are insecure.
• Enabling IPS/IDS on your network to detect scanning technology signatures.
• Patching systems and components as soon as the manufacturer releases an update.
• Performing vulnerability scanning and penetration testing to identify security holes.

While these security measures can help reduce the problem, they are almost powerless against the most recent generations of sophisticated bots. Real-time detection and attack response is fundamental to mitigate automated vulnerability scanning attacks.

How DataDome Protects Against Malicious Vulnerability Scanning

A robust bot detection software will be able to rapidly identify visitor behavior on your website that shows signs of malicious vulnerability scanning and automatically block the source before attacks unfold—without negatively impacting customer experience.

To protect against malicious vulnerability scanning, DataDome employs a sophisticated bot detection engine, based on artificial intelligence and machine learning. Our algorithm analyzes billions of daily events, and continuously updates itself to pinpoint both known and zero-day threats.

Definition

Vulnerability scanning (OWASP automated bot threat OAT-014) is an e-commerce threat that uses bots or web crawlers to identify security weaknesses in your website and underlying architecture. These weaknesses can then be targeted by bot operators.

Evolution

Starting in July of 2001, Code Red was the first widespread malicious vulnerability scanning program, which scanned the Internet to find and infect vulnerable systems. According to Kaspersky, 55% of all malware in 2001 consisted of malicious programs that took advantage of system vulnerabilities. The increase in vulnerability scanning attacks was due to a shift away from classic procedures where the user had to trigger the infection process. Code Red II, Nimda, and Klez were malicious vulnerability detection and exploitation tools that evolved from the creation of the original Code Red program. Since then, vulnerability scanning has become a ubiquitous attack technique.

Statistics

Vulnerability scanning and later exploitation is the cause of one in three data breaches. Around 60% of organizations suffered a data breach because of unpatched vulnerabilities.

Famous Breaches

In 2017, Equifax experienced a data breach when a cybercriminal located and exploited a vulnerability in the Apache Struts web application framework, resulting in the exposure of personally identifiable information (PII) of more than 150 million US consumers.

More recently, in February 2020, Australian market analysis company Tetrad also suffered a data breach. A misconfigured Amazon S3 bucket enabled a hacker to gain  access to information on about 120 million households and businesses. The information included names, addresses, spending habits, and more—and even though the vulnerability was patched in a week, the damage had already been done.

Malicious actors use vulnerability scanning tools to find exploitable security weaknesses in your website stack. Once hackers locate possible vulnerabilities, they then execute attacks to gain control of both your system and customer accounts—as well as access sensitive data, such as skimming customers’ payment card information to commit acts of fraud.

The Anatomy of a Vulnerability Scanning Attack

Malicious vulnerability scanning attacks involve three main phases:

• Target URL addresses, parameter values, and payloads: Attackers identify target websites and configure parameters and payloads for vulnerability reconnaissance.

• Run vulnerability scanning processes: Bots investigate both known and unknown content locations, paths, and filenames for security weaknesses (e.g. vulnerable content management systems (CMS) and components).

• Identify and exploit security vulnerabilities: Once the attackers identify security vulnerabilities, they can attack however they want. Common attacks include malicious payload installation, account takeover, sensitive information theft and exploitation, and more.

Common Defenses Against Vulnerability Scanning Attacks

Common defense methods against malicious vulnerability scanning can involve:

• Hardening the security of your website infrastructure and network devices.
• Disabling technology and features that you no longer use or that are insecure.
• Enabling IPS/IDS on your network to detect scanning technology signatures.
• Patching systems and components as soon as the manufacturer releases an update.
• Performing vulnerability scanning and penetration testing to identify security holes.

While these security measures can help reduce the problem, they are almost powerless against the most recent generations of sophisticated bots. Real-time detection and attack response is fundamental to mitigate automated vulnerability scanning attacks.

A robust bot detection software will be able to rapidly identify visitor behavior on your website that shows signs of malicious vulnerability scanning and automatically block the source before attacks unfold—without negatively impacting customer experience.

To protect against malicious vulnerability scanning, DataDome employs a sophisticated bot detection engine, based on artificial intelligence and machine learning. Our algorithm analyzes billions of daily events, and continuously updates itself to pinpoint both known and zero-day threats.