While Log4j remains the top attack vector for threat actors in 2023, a new vulnerability, HTTP/2 Rapid Reset, has emerged as a significant threat to organizations, according to Cloudflare’s annual report. That’s it. “Review of the year” report. This report is based on data from Cloudflare’s network spanning 310 cities in over 120 countries.
Globally, the volume of attacks targeting Log4j has been consistently lower than other vulnerabilities, with spikes occurring in the last week of October and mid-late November, according to a Cloudflare report. “Threakers are still actively targeting Log4j, as successful exploitation can cause significant damage,” said David Belson, Head of Data Insights at Cloudflare. “If the attackers hadn’t been so successful, they would have moved on by now.”
1 in 3 applications are still running a vulnerable version of Log4j
Chris Eng, chief research officer at Veracode, a cloud-based app intelligence and security validation service, says that despite large-scale efforts to patch Log4Shell vulnerabilities, more than one in three applications Explain that you are still running a vulnerable version of Log4j. “Many teams reacted quickly to patch the initial Log4Shell vulnerability, but they have reverted to their previous behavior of not patching even after the release of 2.17.1.” he says.
Eng points out that Veracode found that 32% of applications were using a version of Log4j that ended support in August 2015. Developers add that after incorporating a third-party library into their code, 79% of the time they never update it. base. “This explains why so many applications are running end-of-life versions of his Log4,” he says.
Jeff Williams, CTO and co-founder of Contrast Security, a maker of self-protection software solutions, adds, “I don’t think organizations have yet embraced updating open source software libraries as part of their culture.” Masu. “Even in emergencies like Log4Shell, many organizations don’t take the relatively simple task of updating.”
HTTP/2 Rapid Reset attacks are easy to perform and highly rewarding
The report predicts that attackers will continue to target the HTTP/2 Rapid Reset vulnerability over the next year, potentially leading to resource exhaustion on targeted web and proxy servers. An analysis of Rapid Reset attacks from August to October found that the average attack speed was 30 million requests per second (rps), with 90 of the attacks exceeding 100 million rps at their peak. Malicious attackers can use relatively small botnets of 20,000 compromised machines to launch large-scale distributed denial of service (DDoS) attacks against hundreds of thousands or millions of hosts. These numbers are alarming because they can generate .
“HTTP/2 improves web performance and user experience, but it also introduces new attack vectors that may be attractive to threat actors,” says Keeper Security, a password management and online storage company. said Patrick Tickett, vice president of architecture. “HTTP/2 Rapid Reset exploits vulnerabilities in the HTTP/2 protocol to launch his DDoS attack on a scale never seen before.”
“Simply put, this attack is easy to perform, highly rewarding for malicious actors, and achieves a DDoS attack that is reported to be more than 300% more effective than traditional DDoS techniques. ,” added Ken Dunham, Director of Cyber Threats in Qualys’ Threat Research Unit. is a provider of cloud-based IT, security and compliance solutions.
Post-quantum cryptography internet traffic increases
The report also revealed that internet traffic using post-quantum cryptography reached 1.7% annually. For now, Google’s Chrome browser is the leader in PQC support aimed at protecting data from future quantum computers, but the report says more browsers will follow Google’s lead in the coming year. We expect usage to increase.
“This is a great step toward meeting the urgent need to move network traffic to quantum-secure encryption. However, a PQC adoption rate of just 1.7% is still far too low.” said Craig Debban, CISO of QuSecure, a maker of security solutions. PQC only works with TLS 1.3, so it could be years before PQC becomes widespread. “Enterprises today need to be able to tune encryption, accelerate adoption, and define encryption everywhere without waiting for customers or vendors to upgrade their systems,” he says.
Dennis Mandich, CTO and co-founder of Qrypt, an enterprise data security provider, adds, “When cybersecurity teams are all surprised by new and completely unknown hacking techniques, they receive sympathy from their colleagues.” “For those who are not ready to switch to quantum-safety tools, there is no greater forgiveness. To avoid being eaten by a panda, all you have to do is run faster than the next person. In the age of quantum and AI, that means It means quantum solutions.”