The Financial Services Industry is Most Targeted by SSRF Attacks

The cyber threat landscape is evolving rapidly, and digital transformation initiatives mean that organizations’ attack surfaces are changing quickly as well. Protecting against the latest cyber threats requires an understanding of which systems and vulnerabilities that cybercriminals are currently targeting in their attacks.

While an organization can (and should) generate threat intelligence internally, based upon attacks that they have experienced and the results of threat hunting and incident response activities, they should look to external sources as well. Organizations with wider visibility of the cyber threat landscape are capable of identifying global trends that can help to inform an organization’s strategic investments in cybersecurity solutions and future threat hunting activities.

An example of a source of valuable threat intelligence is Imperva’s Cyber Threat Index. This resource reports trends that the organization’s threat research lab has detected, such as the fact that financial institutions experience a much higher percentage of server-side request forgery (SSRF) attacks, compared to other industries.

What Are SSRF Vulnerabilities?

Web application vulnerabilities are not exactly rare. A number of different vulnerability classes exist, and organizations like the Open Web Application Security Project (OWASP) regularly release lists of the “most common” or “most dangerous” vulnerabilities currently faced by web applications.

SSRF vulnerabilities don’t make the OWASP Top Ten list. However, they can still pose a significant threat to organizations’ web application security. SSRF vulnerabilities take advantage of web servers that commonly make HTTP requests to other servers. These requests can be used to collect configuration information or other data necessary to the server’s function.

An issue arises if an attacker can gain control over these requests and redirect them. For example, systems may exist within an organization’s network that are inaccessible from outside the network (due to firewall settings) but are accessible from the organization’s web server (which is theoretically trusted). By exploiting an SSRF vulnerability, an attacker could force the web server to make requests on their behalf, allowing them to bypass the protections

SSRF Attacks and the Financial Industry

For many organizations, SSRF vulnerabilities could seem like a low priority since they do not even appear on OWASP’s list of the top threats to web applications. However, different industries experience different mixes of attacks.

According to Imperva’s Cyber Threat Index, the financial industry has an unusually high percentage of SSRF attacks. In fact, this industry experiences twice as many SSRF attacks as any other industry.

Logically, this makes sense. The primary objective of an SSRF attack is to allow the attacker to bypass firewall restrictions and gain access to an organization’s internal systems. In the financial industry, these internal systems have access to extremely valuable and sensitive data, enabling an attacker to make a high profit off of a successful attack.

An example of a recent successful SSRF attack against an organization in the financial industry is the Capital One data breach. The financial institution is known for embracing new technologies and had moved part of its data storage and processing capabilities to Amazon Web Services (AWS).

This move to the cloud was not necessarily a security problem, and the cloud deployment was configured to restrict external access to potentially sensitive data. However, Capital One had also deployed a web application firewall (WAF) to protect their web-based services against attack. Unfortunately, this WAF had a configuration issue that made it vulnerable to SSRF attacks. At the same time, the security settings of the AWS deployment were configured to allow the WAF to have full access to the data stored in the cloud deployment.

These configuration errors were exploited by a cybercriminal. She took advantage of the SSRF vulnerability to exfiltrate sensitive data from Capital One’s cloud-based data store. Soon afterward, the issue was remediated, and the cybercriminal was caught since she bragged about her exploits online, and a security researcher found these records and reported them to the appropriate parties.

The Importance of Good Cyber Threat Intelligence

For many organizations, a focus on SSRF vulnerabilities may be unnecessary. While they can pose a significant threat to an organization’s security, a cybercriminal attacking the organization may not be looking for or attempting to exploit them in an organization’s web applications. With over 22,000 new vulnerabilities discovered in the past year, many organizations cannot patch all vulnerabilities within their networks.

The selection of which vulnerabilities should be prioritized and which can be ignored should be based upon a risk assessment. Performing such an assessment requires an accurate view of the risk associated with a certain vulnerability, which cyber threat reports and similar resources provide. Without the data provided by Imperva, a financial organization may choose to overlook SSRF vulnerabilities in favor of other “big name” web application vulnerabilities.

Implementing the Right Security Solutions

Vulnerability management is a challenge for any organization, and, as demonstrated by the CapitalOne breach, the stakes of overlooking a vulnerability in an organization’s patch management process can be high. Properly prioritizing patches for different vulnerabilities and strategic investments for cybersecurity solutions requires an accurate risk assessment.

This assessment should not be made in a vacuum. Cybersecurity organizations have a much broader view of the cyber threat landscape than the average business. Taking their insights into account can help a business ensure that they don’t overlook a major threat, like SSRF in the financial industry.