Application Security

7/12/2017
08:57 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

New SQL Injection Tool Makes Attacks Possible from a Smartphone

Recorded Future finds new hacking tool that's cheap and convenient to carry out that old standby attack, SQL injection.

Like a lingering cold, SQL injection continues to plague the enterprise with no end in sight. Researchers have found that the latest SQLi hits to some organizations have come by way of a new hacking tool that has made it easier than ever for attackers to wage these exploits: via their smartphones.

Known as "Katyusha Scanner," this previously unknown tool combines the power of the Anarchi Scanner open-source penetration testing tool with the ephemeral and encrypted communication of the cloud-based Telegram messaging service. The resulting black market product makes it possible for the bad guys to carry out wide-ranging scans and attacks against a big volume of websites directly, and conveniently, from their mobile devices, according to Recorded Future, which published details on the tool yesterday. 

The scanner shows all signs of being a royal pain in the rear for enterprises, as criminal clients are catered to with a relatively cheap price point, simple interface, frequent updates, and seemingly good customer support. Its authors display a significant amount of business savvy, offering a Pro version for $500, a light version for $250 and a SaaS model for $200 per month.

Meanwhile, customer testimonials sing the praises of the rogue tool. "One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: 'Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller,'" writes Andrei Barysevich of Recorded Future.

SQL injection attacks have been well known in the security community for going on 20 years at this point, but the vulnerabilities that allow them to be carried out remain highly prevalent.

"SQL injection remains a critical vulnerability that effects far too many applications," says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center. "SQL injection can be blamed for a great many database breaches that cause millions of users personal records to be leaked. It’s a great favorite of attackers because of the relative ease of exploitation, but more importantly, the data that is gained when executed correctly."

He says that older found SQL injection vulnerabilities are often time-consuming to permanently fix and that untrained developers continue to add new ones to software every day.

Last month, Tripwire's Vulnerability and Exposure Team (VERT) conducted a study that showed how common it is for developers to keep piling on to the problem. It went out into the freelance Web design marketplace and engaged with a couple dozen budget developers to build a simple WordPress site. Every single one of the projects they paid for failed to protect any documents from unauthorized users and several of them made it trivial for attackers to compromise the Web server using authentication bypass server through a basic SQLi attack.

Meanwhile, attackers are well aware of the low-hanging fruit that SQLi vulnerabilities represent. Katyusha Scanner may stand out as a particularly dangerous example of attack tool authors taking their wares to the next level with loads of affordable and convenient featurs. But SQLi tools have been kicking around for a long time now, WhiteHat's O'Leary says.

"sqlmap has been a powerful tool which also happens to be free and has been available for almost 10 years now," he says. "The tools will continue to be made available since the payoff can be so lucrative for a successful exploit. We as an industry need to get better about coding secure applications in the first place. We need to train our developers on how to write secure code, including how to prevent SQL injection for good. This way we are never exposed and SQL injection can be a thing of the past." 

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.