Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/12/2017
08:57 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New SQL Injection Tool Makes Attacks Possible from a Smartphone

Recorded Future finds new hacking tool that's cheap and convenient to carry out that old standby attack, SQL injection.

Like a lingering cold, SQL injection continues to plague the enterprise with no end in sight. Researchers have found that the latest SQLi hits to some organizations have come by way of a new hacking tool that has made it easier than ever for attackers to wage these exploits: via their smartphones.

Known as "Katyusha Scanner," this previously unknown tool combines the power of the Anarchi Scanner open-source penetration testing tool with the ephemeral and encrypted communication of the cloud-based Telegram messaging service. The resulting black market product makes it possible for the bad guys to carry out wide-ranging scans and attacks against a big volume of websites directly, and conveniently, from their mobile devices, according to Recorded Future, which published details on the tool yesterday. 

The scanner shows all signs of being a royal pain in the rear for enterprises, as criminal clients are catered to with a relatively cheap price point, simple interface, frequent updates, and seemingly good customer support. Its authors display a significant amount of business savvy, offering a Pro version for $500, a light version for $250 and a SaaS model for $200 per month.

Meanwhile, customer testimonials sing the praises of the rogue tool. "One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: 'Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller,'" writes Andrei Barysevich of Recorded Future.

SQL injection attacks have been well known in the security community for going on 20 years at this point, but the vulnerabilities that allow them to be carried out remain highly prevalent.

"SQL injection remains a critical vulnerability that effects far too many applications," says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center. "SQL injection can be blamed for a great many database breaches that cause millions of users personal records to be leaked. It’s a great favorite of attackers because of the relative ease of exploitation, but more importantly, the data that is gained when executed correctly."

He says that older found SQL injection vulnerabilities are often time-consuming to permanently fix and that untrained developers continue to add new ones to software every day.

Last month, Tripwire's Vulnerability and Exposure Team (VERT) conducted a study that showed how common it is for developers to keep piling on to the problem. It went out into the freelance Web design marketplace and engaged with a couple dozen budget developers to build a simple WordPress site. Every single one of the projects they paid for failed to protect any documents from unauthorized users and several of them made it trivial for attackers to compromise the Web server using authentication bypass server through a basic SQLi attack.

Meanwhile, attackers are well aware of the low-hanging fruit that SQLi vulnerabilities represent. Katyusha Scanner may stand out as a particularly dangerous example of attack tool authors taking their wares to the next level with loads of affordable and convenient featurs. But SQLi tools have been kicking around for a long time now, WhiteHat's O'Leary says.

"sqlmap has been a powerful tool which also happens to be free and has been available for almost 10 years now," he says. "The tools will continue to be made available since the payoff can be so lucrative for a successful exploit. We as an industry need to get better about coding secure applications in the first place. We need to train our developers on how to write secure code, including how to prevent SQL injection for good. This way we are never exposed and SQL injection can be a thing of the past." 

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.