Organizations with outdated security approaches getting hammered: Cloudflare

Security teams are having great difficulty keeping pace with the risks posed by organizations’ dependency on modern applications — the technology that “underpins all of today’s most used sites,” according to a report released Tuesday by connectivity cloud company Cloudflare.

The “State of Application Security 2024” report reveals that the volume of threats stemming from issues in the software supply chain, an increasing number of distributed denial of service (DDoS) attacks such as the recent takedown of French state services by Russia-aligned hackers, and malicious bots often exceed the resources of dedicated application security teams.

Based on what Cloudflare described as “aggregated traffic patterns” observed across its network from Apr. 1, 2023, until March 31, 2024, key findings revealed that:

• DDoS attacks continue to increase in number and volume: DDoS, it said remains the most leveraged threat vector to target web applications and APIs, comprising 37.1 % of all application traffic mitigated by Cloudflare. The top targeted industries were gaming and gambling, IT and internet, cryptocurrency, computer software and marketing, and advertising.
• First to patch vs. first to exploit — the race between defenders and attackers accelerates: Cloudflare said it observed faster exploitations than ever of new zero-day vulnerabilities, with one occurring just 22 minutes after its proof-of-concept (PoC) was published.
• Bad bots left unchecked can cause massive disruption: One-third (31.2%) of all traffic stems from bots, the majority (93%) of which are unverified and potentially malicious. The top targeted industries were manufacturing and consumer goods, cryptocurrency, security and investigations, and the US federal government.
• Organizations are using outdated approaches to secure APIs: Traditional web application firewall (WAF) rules that use a negative security model, which assumes most web traffic is benign, are most commonly leveraged to protect against API traffic.

The attack surface is expanding for web apps and APIs

Cloudflare stated in a release that “today’s digital world runs on web applications and APIs. They allow e-commerce sites to accept payments, healthcare systems to securely share patient data, and power activities we do on our phones. However, the more we rely on these applications, the more the attack surface expands.”

The release added that the problem is “further magnified by the demand for developers to quickly deliver new features. But if unprotected, exploited applications can lead to the disruption of businesses, financial losses, and the collapse of critical infrastructure.”

The authors of the report noted that web applications are central to modern life: “For governments, they are an important channel to communicate information to the public and provide essential services. For businesses, they service as a source of revenue, efficiency and customer insights.”

During the data collection period, Cloudflare said that it mitigated 6.8% of all web application traffic. It defines mitigated traffic as any “traffic that is blocked or is served a challenge by Cloudflare. The specific threat type and relevant mitigation technique depends on many factors such as the application’s potential security gaps, the nature of the victim’s business and the attacker’s goals.”

Examples of an attack over the study period, it states, included the Anonymous Sudan group, launching “politically motivated DDoS attacks against banks, universities, hospitals, airports, social media platforms, government agencies and others worldwide.”

In the release, company co-founder and CEO Matthew Prince said that “web applications are rarely built with security in mind. Yet, we use them daily for all sorts of critical functions, making them a rich target for hackers.”