Vendor Attacks Highlight SQL Injection Run
SQL injection isn't anything new, but it's still a big enough issue that hackers have been using the time-honored technique to assail some fairly high-profile sites of late, and lots of them, including that of AV vendor Kaspersky only just today.
And, according to IBM, SQL injection attacks leapt by an astonishing 30x over the final six months of 2008, resulting in an astonishing 50 percent increase in the overall volume of malware-laden URLs on the Web. A 50 percent jump in malware sites is jaw-dropping enough alone, considering how many there already were, but to think that it was driven by a single form of attack is pretty telling.
What the message seems to be is that sophisticated attackers have moved their assets heavily back into SQL injection, and/or there's likely at least one popular new malware authoring toolkit in circulation that is accelerating the reported proliferation, if not more.
Experts have been predicting for a good few years that shoddy Web application and site development was going to result in an epidemic of these types of attacks, even though they've been publicized for a number of years. Well, it appears that we've arrived.
Another important distinction is that while SQL injection attacks have always been notorious in relation to data theft, many of today's campaigns are also aimed as much at helping attackers find new redirection points for their other enterprises.
Kaspersky claims that it wasn't breached in the most recent attacks, for one. The monster just keeps feeding itself it would seem, though the attacks against security providers do seem pretty pointed, as other vendors reported similar activity.
Paul Henry, a security and forensic analyst for security specialist Lumension, offered up a number of interesting observations about the ongoing SQL injection hacks in a blog posted to the company's site.
"It's important to consider that SQL injection attacks today have evolved to become the preferred method used by hackers to breach popular websites and insert malware or redirect users to malware-laden websites," Henry said.
The expert contends that attackers were also likely hoping to trick end users who would trust downloads from security sites, in addition to trying to embarrass the involved vendors.
However, Henry also noted that breaching a software vendor's network "may very well be the ultimate prize for a mischievous hacker... the possibilities offer a rewarding bounty," including the ability to compromise the involved company's intellectual property.
Among the recommended security measures the analyst said organizations must consider were for them to:
-Limit the ability of unauthenticated/casual users from having any access to backend databases, while separating and fully isolating Web content from product and client data.
-Restrict both the authority the malicious hacker can obtain, and reduce their ability to exculpate privilege by taking advantage of underlying application vulnerabilities.
-Employ application control whitelisting on Internet facing Web servers to prevent a hacker that has gained unauthorized access from downloading and executing any unauthorized applications.
And end users must of course do a far better job of sizing up potential malware sites and managing their browser security settings if the SQL injection malware site epidemic is going to fade anytime soon.
Because right now, SQL = WAR.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.