Hacktivists Continue To Own Systems Through SQL Injection

  /     /     /  
Publicated : 22/11/2024   Category : security


Hacktivists Continue To Own Systems Through SQL Injection


LulzSec indictment and GhostShell attacks bring the spotlight back onto black hats favorite data theft technique



Twin headlines -- one about a LulzSec hacker indicted last week for charges of running a SQL injection attack against Sony Pictures last year, and the oter about hacktivists with Team GhostShell who used SQL injection attacks to compromise up to 1 million sensitive records -- should be a slap in the face to wake up the business world, experts warn. As this weeks double helping of reality makes clear, SQL injection continues to reign as hackers most consistently productive technique for stealing massive dumps of sensitive information within corporate databases.
In fact, according to analysis done by database security firm Imperva of breach events between 2005 and July of this year, 82 percent of lost data due to hacking was courtesy of SQL injection.
Thats a pretty clear pie chart, says Rob Rachwald, director of security for Imperva.
That activity is largely driven by the transformation of the Web into an on-demand interface vehicle to tap into all nature of databases running within the enterprise.
When websites are data driven -- which 95 percent of websites are -- if you can trick any part of that website in any way, then youre going to have a huge potential attack surface, says Cameron Camp, security researcher for ESET. And as companies keep interfacing more and more data with greater intensity and depth, that creates more chinks in the armor.
Over the past years, as more chinks have appeared, that opportunity for data-driven malfeasance has reshaped the way the bad guys approach their craft -- so much so that Tyler Shields of Veracode says weve experienced a paradigm shift.
It used to be that attackers attacked systems to break in to get root-level or low-level access on the system, says Shields, a senior security researcher with Veracode Research Lab. But thats not what monetizes their attacks, and thats not what gets them the most fame to motivate them now. What motivates them now is getting at sensitive data. And SQL injection is the quickest and most direct route to that sensitive data.
That was the route the FBI alleges 20-year-old Raynaldo Rivera chose to get at the unencrypted passwords for more than a million Sony Pictures customers in 2011. The vast majority of criminals who commit the SQL injection smash-and-grabs are never caught, but the FBI collared Rivera this week after he was indicted by a federal grand jury for hacking crimes that could get him up to 15 years in jail. The government claims that Rivera used a proxy server to mask his IP address and obtained sensitive information from Sony Pictures databases using a SQL injection attack against its website.
While it is unclear what tools Rivera may have used to conduct his attack, experts say that hacktivists with groups like Anonymous and LulzSec have quickly adopted SQL injection tools, like Havij and SQLmap, to automate and simplify the work it takes to find and exploit injection vulnerabilities. Thats likely the method used by the yet-to-be apprehended members of the hacker collective Team GhostShell used to steal information for what it claims to be 1 million personal records across dozens of sites. The group publicized its raids through Twitter and Pastebin data dumps over the weekend; according to
early analysis done by Imperva
, all signs point to SQLmap.
A lot of the breached data was put into a format that is consistent with SQLmap, Rachwald says.
[ Using SQL injection to attack PDFs. See
Serving Up Malicious PDFs Through SQL Injection
. ]
According to Shields, the flurry of news about Team GhostShell should really bring into focus the fact that these types of attacks are hardly isolated.
I think that people need to realize that LulzSec was not the only group out there doing this. Theres tons of other groups doing this, and its just a matter of whether they want to make themselves well-known or whether they want to remain hidden and behind the scenes, he says. Putting the information they take online and making it available is somewhat slapping everyone in the face in an attempt to wake people up. I think thats what GhostShell was attempting to do.
That may be exactly what the doctor ordered because before organizations can start to address the problem from a technological standpoint, they first need to get into the right mindset.
The first thing that people need to do is admit theres a SQL injection problem, Rachwald says. Unfortunately a lot of people arent at that stage yet.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hacktivists Continue To Own Systems Through SQL Injection