Application Security // Database Security
5/9/2012
04:21 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mass SQL Injections Spike Again

Experts warn orgs to keep up with patches and sanitize input to mitigate risks

Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. Particularly targeting ASP, ASP.Net, and MS-SQL sites, these mass SQL injection campaigns have been linked to black hat efforts to redirect victims to browser exploit kits like Blackhole or Phoenix.

"There's been a growing increase on the mass SQL injections side mainly because there is business to be had and money to be made in that area," says Gunter Ollmann, vice president of research for Damballa. "There are a growing number of professional hackers and crime groups that specialize in quick and rapid identification of websites that are vulnerable to SQL injection, and they monetize that by injecting malicious code normally as part of the pay-per-install or the iFrame injection-type business."

Unlike traditional SQL injections, which are generally manual attacks seeking to extract data from commerce sites, mass SQL injection attacks are automated, quick-and-dirty attacks that drop malicious code onto the website.

"Really what this is is a cross-site scripting attack," says Ryan Barnett, senior security researcher for Trustwave SpiderLabs, "just using SQL injection on the front end to inject in JavaScript code that results in sending regular users to a Web page that's dynamically created based on different database components, pulling in malicious JavaScript into the browser that redirects to a malware site."

[ Hackers automate their SQL injection attacks through easy-to-use tools. See how they do it: 10 SQL Injection Tools For Database Pwnage. ]

The mass SQL injection model has been prevalent since 2008, with a considerable uptick last spring during the LizaMoon attacks. According to the recent Zscaler ThreatLabz Q1 State of the Web Report, researchers with ThreatLabz noted a spike in LizaMoon activity back in March.

"A year later, we are still seeing this campaign under way, with various peaks and valleys as the attack adapts over time. We noticed that activity picked back up again in March 2012," the report says.

According to Barnett, the attacks in recent months have a similar M.O., with a slight tweak in the SQL used to conduct the attack.

"They're not doing exactly the same kind of script that they did before," Barnett says. "They are picking different category names, which is often used for these databases, such as the category title, content title, and home page title. So they're targeting title HTML tags when you're dynamically creating those sites. It is kind of sneaky, but they're prepending a closing title HTML tag, so when it gets into the browser, it will cleanly close the title content that was already there and inject in behind to execute that JavaScript."

In April, researchers with F-Secure and Sucuri Security, among others, had brought attention to these attacks, which at that time redirected to the Nikjju.com domain. According to Barnett, malicious activity continues on the back of already injected code, but the domains end users are redirected to remain in flux.

"The infrastructure of what we're highlighting here is in place, the bad guys are using it -- the difference is that all those domains they're sending them to, those are transient and change almost daily," he says. "As we put in IP reputation, domain black listing, and all of those things, then people can't get to those sites, so they have to constantly keep moving. But the infrastructure of exploiting the website and injecting this code, they just keep reusing that until people upgrade their systems."

That brings us to the mitigation efforts for these attacks.

"One is, first and foremost, they have to stay on top of patching processes. That means knowing what applications you're running on your servers," Ollmann says. "And secondly, you need to ensure that your custom applications are designed in a way that even if there is a vulnerability in these back-end systems, that the content is still sanitized and is not projected to visitors of the website."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web