Attacks/Breaches

9/27/2011
11:54 AM
50%
50%

MySQL Malware Hack Cost Just $3,000

Oracle-owned site was hacked with Java to automatically begin downloading Blackhole malware onto Windows PCs.

A security firm warned Monday that the website for downloading the popular MySQL open source relational database was infecting PCs via drive-by downloads.

Browsers that visited MySQL.com Monday were immediately injected with a JavaScript executable, which generated an iFrame that redirected to a website hosting the Black Hole crimeware exploit kit. "It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," according to a blog post written by Wayne Huang, CEO of security firm Armorize, which discovered the attack. "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection," he said.

By later on Monday, Oracle--which owns MySQL--had apparently disabled the attack.

[Are your Web-connected photocopiers, scanners, and VoIP servers compromising your enterprise security? Learn more at Corporate Espionage's New Friend: Embedded Web Servers.]

Black Hole, a copy of which can be rented for about $1,500 per year, is one of the most widely used crimeware toolkits, which are designed to automate the process of exploiting PCs and harvesting financial data. "The blackhole exploit pack supports a wide variety of exploits, so the actual exploit you get served depends on the platform you use for browsing," said Huang. "The [executable] is run by exploiting the browser with javascript / flash actionscript / PDF jscript / java exploit / etc." Furthermore, it can apparently bypass many attack mitigation technologies, including data execution prevention (DEP). "Many exploits have the ability to turn DEP off so they'd still work on Win7," he said.

Black Hole uses the Java Open Business Engine (OBE) toolkit to exploit PCs and load malicious payloads. Unfortunately, these payloads can be difficult to detect. According to security firm Websense, the crimeware's "exploits are encrypted with custom algorithms, which makes this pack difficult to analyze by [antivirus] and generic deobfuscation tools and services."

Indeed, when Armorize issued its warning about the attacks on Monday, only four out of 44 antivirus engines listed on Virus Total were detecting the drive-by attack at MySQL.com. By Tuesday, however, the number of antivirus engines that detected the attack had increased to 17.

Black Hole exploits PCs using known vulnerabilities--providing they haven't been patched--including a flaw in Windows Hardware Counter Profiling, Adobe Reader bugs, as well as numerous Java flaws. That makes the attack against MySQL.com somewhat ironic, given that Oracle owns not only MySQL, but also Java.

Interestingly, beyond Black Hole rental costs, this attack against MySQL.com--visited by an average of 40,000 people per day--may have cost just a few thousand dollars. "Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com," according to security reporter Brian Krebs. "He offered to sell remote access to the first person who paid him at least USD $3,000, via the site's escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds."

This is the second time this year that the MySQL.com website has been exploited. In March, the site was compromised via a SQL injection attack, resulting in the compromise of a number of usernames and weak passwords.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12630
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
CVE-2018-12631
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.
CVE-2018-12632
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI.
CVE-2018-12581
PUBLISHED: 2018-06-21
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
CVE-2018-12613
PUBLISHED: 2018-06-21
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attack...