Hacktivists Continue To Own Systems Through SQL Injection

Twin headlines -- one about a LulzSec hacker indicted last week for charges of running a SQL injection attack against Sony Pictures last year, and the oter about hacktivists with Team GhostShell who used SQL injection attacks to compromise up to 1 million sensitive records -- should be a slap in the face to wake up the business world, experts warn. As this week's double helping of reality makes clear, SQL injection continues to reign as hackers' most consistently productive technique for stealing massive dumps of sensitive information within corporate databases.

In fact, according to analysis done by database security firm Imperva of breach events between 2005 and July of this year, 82 percent of lost data due to hacking was courtesy of SQL injection.

"That's a pretty clear pie chart," says Rob Rachwald, director of security for Imperva.

That activity is largely driven by the transformation of the Web into an on-demand interface vehicle to tap into all nature of databases running within the enterprise.

"When websites are data driven -- which 95 percent of websites are -- if you can trick any part of that website in any way, then you're going to have a huge potential attack surface," says Cameron Camp, security researcher for ESET. "And as companies keep interfacing more and more data with greater intensity and depth, that creates more chinks in the armor."

Over the past years, as more chinks have appeared, that opportunity for data-driven malfeasance has reshaped the way the bad guys approach their craft -- so much so that Tyler Shields of Veracode says we've experienced a paradigm shift.

"It used to be that attackers attacked systems to break in to get root-level or low-level access on the system," says Shields, a senior security researcher with Veracode Research Lab. "But that's not what monetizes their attacks, and that's not what gets them the most fame to motivate them now. What motivates them now is getting at sensitive data. And SQL injection is the quickest and most direct route to that sensitive data."

That was the route the FBI alleges 20-year-old Raynaldo Rivera chose to get at the unencrypted passwords for more than a million Sony Pictures customers in 2011. The vast majority of criminals who commit the SQL injection smash-and-grabs are never caught, but the FBI collared Rivera this week after he was indicted by a federal grand jury for hacking crimes that could get him up to 15 years in jail. The government claims that Rivera used a proxy server to mask his IP address and obtained sensitive information from Sony Pictures' databases using a SQL injection attack against its website.

While it is unclear what tools Rivera may have used to conduct his attack, experts say that hacktivists with groups like Anonymous and LulzSec have quickly adopted SQL injection tools, like Havij and SQLmap, to automate and simplify the work it takes to find and exploit injection vulnerabilities. That's likely the method used by the yet-to-be apprehended members of the hacker collective Team GhostShell used to steal information for what it claims to be 1 million personal records across dozens of sites. The group publicized its raids through Twitter and Pastebin data dumps over the weekend; according to early analysis done by Imperva, all signs point to SQLmap.

"A lot of the breached data was put into a format that is consistent with SQLmap," Rachwald says.

[ Using SQL injection to attack PDFs. See Serving Up Malicious PDFs Through SQL Injection. ]

According to Shields, the flurry of news about Team GhostShell should really bring into focus the fact that these types of attacks are hardly isolated.

"I think that people need to realize that LulzSec was not the only group out there doing this. There's tons of other groups doing this, and it's just a matter of whether they want to make themselves well-known or whether they want to remain hidden and behind the scenes," he says. "Putting the information they take online and making it available is somewhat slapping everyone in the face in an attempt to wake people up. I think that's what GhostShell was attempting to do."

That may be exactly what the doctor ordered because before organizations can start to address the problem from a technological standpoint, they first need to get into the right mindset.

"The first thing that people need to do is admit there's a SQL injection problem," Rachwald says. "Unfortunately a lot of people aren't at that stage yet."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.