Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/12/2017
08:57 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New SQL Injection Tool Makes Attacks Possible from a Smartphone

Recorded Future finds new hacking tool that's cheap and convenient to carry out that old standby attack, SQL injection.

Like a lingering cold, SQL injection continues to plague the enterprise with no end in sight. Researchers have found that the latest SQLi hits to some organizations have come by way of a new hacking tool that has made it easier than ever for attackers to wage these exploits: via their smartphones.

Known as "Katyusha Scanner," this previously unknown tool combines the power of the Anarchi Scanner open-source penetration testing tool with the ephemeral and encrypted communication of the cloud-based Telegram messaging service. The resulting black market product makes it possible for the bad guys to carry out wide-ranging scans and attacks against a big volume of websites directly, and conveniently, from their mobile devices, according to Recorded Future, which published details on the tool yesterday. 

The scanner shows all signs of being a royal pain in the rear for enterprises, as criminal clients are catered to with a relatively cheap price point, simple interface, frequent updates, and seemingly good customer support. Its authors display a significant amount of business savvy, offering a Pro version for $500, a light version for $250 and a SaaS model for $200 per month.

Meanwhile, customer testimonials sing the praises of the rogue tool. "One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: 'Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller,'" writes Andrei Barysevich of Recorded Future.

SQL injection attacks have been well known in the security community for going on 20 years at this point, but the vulnerabilities that allow them to be carried out remain highly prevalent.

"SQL injection remains a critical vulnerability that effects far too many applications," says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center. "SQL injection can be blamed for a great many database breaches that cause millions of users personal records to be leaked. It’s a great favorite of attackers because of the relative ease of exploitation, but more importantly, the data that is gained when executed correctly."

He says that older found SQL injection vulnerabilities are often time-consuming to permanently fix and that untrained developers continue to add new ones to software every day.

Last month, Tripwire's Vulnerability and Exposure Team (VERT) conducted a study that showed how common it is for developers to keep piling on to the problem. It went out into the freelance Web design marketplace and engaged with a couple dozen budget developers to build a simple WordPress site. Every single one of the projects they paid for failed to protect any documents from unauthorized users and several of them made it trivial for attackers to compromise the Web server using authentication bypass server through a basic SQLi attack.

Meanwhile, attackers are well aware of the low-hanging fruit that SQLi vulnerabilities represent. Katyusha Scanner may stand out as a particularly dangerous example of attack tool authors taking their wares to the next level with loads of affordable and convenient featurs. But SQLi tools have been kicking around for a long time now, WhiteHat's O'Leary says.

"sqlmap has been a powerful tool which also happens to be free and has been available for almost 10 years now," he says. "The tools will continue to be made available since the payoff can be so lucrative for a successful exploit. We as an industry need to get better about coding secure applications in the first place. We need to train our developers on how to write secure code, including how to prevent SQL injection for good. This way we are never exposed and SQL injection can be a thing of the past." 

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...