In the coming year of 2023, among the many "security debts" exposed in the fields of network security, cloud security, application security, and data security, four major debts have not only failed to be fully alleviated, but are at risk of "exploding" in the new year. These four major liabilities are: Logj4 vulnerability, HTTP/2 fast reset attack vulnerability, malicious email and post-quantum encryption. We will introduce them respectively below:
1. Log4j vulnerability will still be the number one vulnerability in 2023
The Log4j vulnerability is one of the most serious vulnerabilities in Internet history that was exposed in November 2021, because it is not only ubiquitous and easy to exploit, but also has great harm. Today, two years later, with the joint efforts of the global cybersecurity industry and the business community, it is regrettable that Log4j vulnerabilities are still common, easy to exploit, and harmful.
According to a report released by Cloudflare this month, the number of attacks against Log4j globally in 2023 has always far exceeded other vulnerabilities (above), and new peaks appeared in the last week of October and mid-to-late November (France, Germany, Log4j exploits are most active in India and the United States).
A recent report released by Veracode shows that despite the industry's tremendous efforts to patch Log4j vulnerabilities, more than one-third of applications will still run vulnerable Log4j versions in 2023.
Why does the "recovery rate" of Log4j vulnerabilities remain high? Veracode chief research officer Chris Eng noted: "Many security teams reacted quickly and patched the initial Log4j vulnerability, but then reverted to the previous slack state and did not patch even after the release of 2.17.1 and above." He said .
Veracode found that 32% of applications used a version of Log4j that was discontinued in August 2015. 79% of developers never update third-party (open source) libraries after adding them to their code. "This explains why such a high percentage of applications are running discontinued versions of Log4," Eng said.
2. The most efficient DDoS attack technology: HTTP/2 quick reset
The HTTP/2 fast reset attack vulnerability disclosed in October 2023 (bypassing concurrent flow restrictions through fast reset) has become a popular choice for DDoS attacks. This vulnerability can cause the target web application server, load balancer and web proxy server to crash. Resources are quickly exhausted.
Cloudflare's analysis of HTTP/2 fast reset attacks from August to October (above) found that the average attack rate was 30 million requests per second (rps), with 90 attacks peaking over 100 million rps. These numbers are concerning because the HTTP/2 rapid reset vulnerability allows attackers to exploit relatively small botnets (as few as 20,000 victims compared to hundreds of thousands or millions of hosts). Infected hosts) launch large-scale distributed denial of service (DDoS) attacks.
Patrick Tiquet, vice president of security and architecture at password management and online storage company Keeper Security, said: "While HTTP/2 improves web performance and user experience, it also introduces new attack vectors that are very attractive to attackers. HTTP/2 Rapid reset vulnerabilities can be exploited to launch DDoS attacks of unprecedented scale."
Ken Dunham, Director of Cyber Threats at Qualys Threat Research, added: “What’s even worse is that this attack is easy to carry out and highly rewarding for the attacker, as HTTP/2 quick reset attacks are said to be more efficient than traditional DDoS attack methods. More than 300% higher.”
Although infrastructure providers such as Microsoft, AWS, F5, and web servers and load balancing software manufacturers have released mitigation measures or patches for HTTP/2 quick reset attack vulnerabilities, security experts believe that HTTP/2 quick reset DDoS attacks are still Will become popular in 2024.
3. Malicious email attacks continue to grow
Malicious emails/phishing remain the number one method of cyberattack. It is estimated that 90% of successful cyber attacks begin with email phishing. Business email compromise (BEC), a malware-free attack that tricks recipients into transferring funds, has cost victims more than $50 billion worldwide, according to newly released data from the FBI.
Although email security has always been an important part of corporate network security defense, the email security situation will further deteriorate in 2023. According to the Cloudfare Area1 analysis report, an average of 2.65% of emails were found to be malicious in 2023, with an upward trend. On a weekly basis, the proportion of malicious emails soared to more than 3.5%, 4.5% and 5% respectively in early February, early September and late October (figure below).
The proportion of malicious emails will continue to grow in 2023 Data source: CloudFlare
Malicious links and identity theft will still be the most important email threats in 2023. Blackmail content saw a brief peak in October. The changes in each email threat type are as follows:
Data source of changes in proportion of malicious email threat types: CloudFlare
In 2024, with the popularity of generative artificial intelligence weaponization, the content quality, sending scale and pertinence of malicious emails will be comprehensively improved. Businesses need a combination of intelligent email security solutions and targeted security awareness training to effectively mitigate malicious email attacks.
4. Post-quantum encryption traffic accounts for only 1.7% of Internet traffic
Although Google's Chrome browser will begin to support post-quantum cryptography (PQC) in 2023, the proportion of PQC encrypted traffic in the entire Internet is still very low. According to a CloudFlare report, the proportion of Internet traffic encrypted by PQC will account for approximately 1.7% in 2023.
Data source for changes in the proportion of quantum encryption traffic after 2023: CloudFlare
“Network traffic has taken a step toward quantum-safe encryption, but PQC adoption is still too low at just 1.7%,” said Craig Debban, chief information security officer at QuSecure, a maker of quantum-safe security solutions. “Because PQC is only Applicable to TLS1.3, so it may take several years for PQC to gain widespread attention in the industry."
Debban noted: “Today’s enterprises need to be able to orchestrate encryption and plan for and accelerate the adoption of PQC encryption without having to wait for customers and suppliers to upgrade their systems.”
Denis Mandich, chief technology officer and co-founder of enterprise data security provider Qrypt, added: “The threats from quantum computing and artificial intelligence are accelerating, and post-quantum encryption technology is nothing new. Enterprise cybersecurity teams cannot be satisfied with working with them. Peer alignment, only by outperforming your peers can you avoid being attacked by a bear. Those who are not ready to move to quantum security tools and solutions will get no sympathy from anyone.”