Mass SQL Injections Spike Again

  /     /     /  
Publicated : 22/11/2024   Category : security


Mass SQL Injections Spike Again


Experts warn orgs to keep up with patches and sanitize input to mitigate risks



Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. Particularly targeting ASP, ASP.Net, and MS-SQL sites, these mass SQL injection campaigns have been linked to black hat efforts to redirect victims to browser exploit kits like Blackhole or Phoenix.
Theres been a growing increase on the mass SQL injections side mainly because there is business to be had and money to be made in that area, says Gunter Ollmann, vice president of research for Damballa. There are a growing number of professional hackers and crime groups that specialize in quick and rapid identification of websites that are vulnerable to SQL injection, and they monetize that by injecting malicious code normally as part of the pay-per-install or the iFrame injection-type business.
Unlike traditional SQL injections, which are generally manual attacks seeking to extract data from commerce sites, mass SQL injection attacks are automated, quick-and-dirty attacks that drop malicious code onto the website.
Really what this is is a cross-site scripting attack, says Ryan Barnett, senior security researcher for Trustwave SpiderLabs, just using SQL injection on the front end to inject in JavaScript code that results in sending regular users to a Web page thats dynamically created based on different database components, pulling in malicious JavaScript into the browser that redirects to a malware site.
[ Hackers automate their SQL injection attacks through easy-to-use tools. See how they do it:
10 SQL Injection Tools For Database Pwnage
. ]
The mass SQL injection model has been prevalent since 2008, with a considerable uptick last spring during the
LizaMoon attacks
. According to the recent Zscaler ThreatLabz Q1 State of the Web Report, researchers with ThreatLabz noted a spike in LizaMoon activity back in March.
A year later, we are still seeing this campaign under way, with various peaks and valleys as the attack adapts over time. We noticed that activity picked back up again in March 2012, the report says.
According to Barnett, the attacks in recent months have a similar M.O., with a slight tweak in the SQL used to conduct the attack.
Theyre not doing exactly the same kind of script that they did before, Barnett says. They are picking different category names, which is often used for these databases, such as the category title, content title, and home page title. So theyre targeting title HTML tags when youre dynamically creating those sites. It is kind of sneaky, but theyre prepending a closing title HTML tag, so when it gets into the browser, it will cleanly close the title content that was already there and inject in behind to execute that JavaScript.
In April, researchers with F-Secure and Sucuri Security, among others, had brought attention to these attacks, which at that time redirected to the Nikjju.com domain. According to Barnett, malicious activity continues on the back of already injected code, but the domains end users are redirected to remain in flux.
The infrastructure of what were highlighting here is in place, the bad guys are using it -- the difference is that all those domains theyre sending them to, those are transient and change almost daily, he says. As we put in IP reputation, domain black listing, and all of those things, then people cant get to those sites, so they have to constantly keep moving. But the infrastructure of exploiting the website and injecting this code, they just keep reusing that until people upgrade their systems.
That brings us to the mitigation efforts for these attacks.
One is, first and foremost, they have to stay on top of patching processes. That means knowing what applications youre running on your servers, Ollmann says. And secondly, you need to ensure that your custom applications are designed in a way that even if there is a vulnerability in these back-end systems, that the content is still sanitized and is not projected to visitors of the website.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mass SQL Injections Spike Again