Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:35 PM
Connect Directly

SQL Server Database Hack Tricks Forensics

Black Hat researcher will show how the bad guys can use a database's own features against it

A database security researcher will demonstrate at next month's Black Hat DC how an attacker who breaks into a SQL Server database can cover his tracks using antiforensics techniques.

Cesar Cerrudo, lead researcher for Application Security's Team SHATTER, and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database. "If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom," Cerrudo says.

So far, Cerrudo says he hasn't seen any database attacks that have gone to the next level like this yet. "But as criminal hacking is rapidly growing, and databases are where the juicy stuff is saved, in the future we will start to see more and more sophisticated attacks," he says, especially since many big breaches are the result of database hacks.

And in the current economic climate, the risk of an insider attack is even higher. The financial pressures of a possible layoff or otherwise could entice a database operator to go rogue. "The main point of this research is that if you don't properly protect database servers, soon or later you will get hacked and probably lose millions of dollars," he says.

Although Cerrudo's research focuses on SQL Server, any database could be hacked and manipulated with antiforensics, he says. Among the database features that the bad guys can use for nefarious purposes are the ability to load external libraries or binary code, which can manipulate the server itself. Buffer overflow attacks are another way to do so as well, according to Cerrudo.

All it takes is for an attacker to gain database administrative privileges -- which is not difficult if the database isn't locked down properly -- by exploiting a vulnerability in the database or stealing the credentials via a Trojan or brute-force hacking, for instance.

"Once you have enough privileges, you can do anything on any database server. This includes loading code to database server memory, [and] then this code can manipulate all functionality and let the attacker perform any actions" on the database he wants, Cerrudo says.

If the database hack using antiforensics is detected, some of the damage can be discovered by forensics, such as stolen data or changes made to the data stored in the database, for instance. But how it was hacked or who did it would remain a mystery, he says.

An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. "One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack," Cerrudo says.

The attacker could leave behind phony tracks that incriminate the victim organization's database administrator so that when the forensics investigators do their work, all evidence leads to the database admin rather than the real culprit. "Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him," Cerrudo days.

How can an organization protect itself from such an attack? "Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can't protect [the database] once the attacker has enough permissions," he says.

Cerrudo also recommends regular database patching, strong passwords, and periodic database vulnerability scans.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-19
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
PUBLISHED: 2020-02-19
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
PUBLISHED: 2020-02-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-02-19
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
PUBLISHED: 2020-02-19
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).