Application Security

7/12/2017
08:57 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

New SQL Injection Tool Makes Attacks Possible from a Smartphone

Recorded Future finds new hacking tool that's cheap and convenient to carry out that old standby attack, SQL injection.

Like a lingering cold, SQL injection continues to plague the enterprise with no end in sight. Researchers have found that the latest SQLi hits to some organizations have come by way of a new hacking tool that has made it easier than ever for attackers to wage these exploits: via their smartphones.

Known as "Katyusha Scanner," this previously unknown tool combines the power of the Anarchi Scanner open-source penetration testing tool with the ephemeral and encrypted communication of the cloud-based Telegram messaging service. The resulting black market product makes it possible for the bad guys to carry out wide-ranging scans and attacks against a big volume of websites directly, and conveniently, from their mobile devices, according to Recorded Future, which published details on the tool yesterday. 

The scanner shows all signs of being a royal pain in the rear for enterprises, as criminal clients are catered to with a relatively cheap price point, simple interface, frequent updates, and seemingly good customer support. Its authors display a significant amount of business savvy, offering a Pro version for $500, a light version for $250 and a SaaS model for $200 per month.

Meanwhile, customer testimonials sing the praises of the rogue tool. "One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: 'Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller,'" writes Andrei Barysevich of Recorded Future.

SQL injection attacks have been well known in the security community for going on 20 years at this point, but the vulnerabilities that allow them to be carried out remain highly prevalent.

"SQL injection remains a critical vulnerability that effects far too many applications," says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center. "SQL injection can be blamed for a great many database breaches that cause millions of users personal records to be leaked. It’s a great favorite of attackers because of the relative ease of exploitation, but more importantly, the data that is gained when executed correctly."

He says that older found SQL injection vulnerabilities are often time-consuming to permanently fix and that untrained developers continue to add new ones to software every day.

Last month, Tripwire's Vulnerability and Exposure Team (VERT) conducted a study that showed how common it is for developers to keep piling on to the problem. It went out into the freelance Web design marketplace and engaged with a couple dozen budget developers to build a simple WordPress site. Every single one of the projects they paid for failed to protect any documents from unauthorized users and several of them made it trivial for attackers to compromise the Web server using authentication bypass server through a basic SQLi attack.

Meanwhile, attackers are well aware of the low-hanging fruit that SQLi vulnerabilities represent. Katyusha Scanner may stand out as a particularly dangerous example of attack tool authors taking their wares to the next level with loads of affordable and convenient featurs. But SQLi tools have been kicking around for a long time now, WhiteHat's O'Leary says.

"sqlmap has been a powerful tool which also happens to be free and has been available for almost 10 years now," he says. "The tools will continue to be made available since the payoff can be so lucrative for a successful exploit. We as an industry need to get better about coding secure applications in the first place. We need to train our developers on how to write secure code, including how to prevent SQL injection for good. This way we are never exposed and SQL injection can be a thing of the past." 

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...