Very little in life grabs our attention like a shiny new object. The gleam can be irresistible, the glitter mesmerizing. That’s how it is in cybersecurity, where the landscape is almost always dotted with alluringly novel hazards. Brand new threats, fresh twists on old threats — the shiny malicious objects just keep on coming, year in and year out. 2017 brought us threats such as the EternalBlue exploit, WannaCry and NotPetya, all with very high impact and warranting immediate remediation.

Behind the attention grabbers, however, lurked a less newsworthy but much more widespread and persistent threat, ranking, once again, as the top mechanism of attack targeting many organizations in every sector: injection attacks.

Read the research report: What you need to know about injection attacks

A Top Threat to Organizational Networks

The facts are clear. According to IBM X-Force analysis of IBM Managed Security Services (MSS) data, injection attacks are the most frequently employed mechanism of attack against organizational networks. In fact, for the period assessed (January 2016 through June 2017), injection attacks made up nearly half — 47 percent — of all attacks. The most common types were operating system command injection (OS CMDi) and SQL injection (SQLi).


Figure 1: Injection attacks versus all attacks (Source: IBM Managed Security Services data).

Attackers take advantage of injection vulnerabilities in operating systems and applications to penetrate critical web servers and access back-end databases. From using malicious webshells to planting cryptocurrency mining tools or malicious PHP scripts, there are many ways in which cybercriminals can use injection attacks to reach their end goal.

Fortunately, addressing injection attacks doesn’t necessarily require heavy lifting. Implementing a few basic security measures can help mitigate the threat in your environment.

Most Prominent Injection Attack Types

While several types of injection attack patterns fall under the MITRE Corporation’s Common Attack Pattern Enumeration and Classification (CAPEC) category 152, the following patterns were the most prominent vectors targeting clients monitored by IBM X-Force. Interestingly, some of the most prevalent activity involved the exploitation of vulnerabilities that were two or more years old.


Figure 2: Most prominent injection attacks (Source: IBM Managed Security Services data).

Ejecting Injection Attacks From Your Environment

The root cause of many high-profile breaches often involves the exploitation of weaknesses that could have been remediated or addressed, such as password reuse, server misconfiguration and unpatched vulnerabilities. The same can be said for many successful injection attacks.

For more information about injection attacks and recommendations on how to mitigate them, read the IBM X-Force Research report, “What You Need to Know About Injection Attacks.”

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…