A Russian cyber-criminal group compromised more than 400,000 servers and Websites using a common class of software flaw, known as a SQL injection vulnerability, to steal more than 1.2 billion usernames and passwords, according to Hold Security, which found the cache of credentials online.
The group, dubbed “CyberVors” by the security firm, initially bought a database of stolen credentials and used that to broadly attack other users via phishing, but had only moderate success. They changed tactics earlier this year, using a rented botnet to search out vulnerable servers and use SQL injection attacks to compromise the systems, Alex Holden, principal consultant with Hold Security, said in a blog post.
“The CyberVors did not differentiate between small or large sites,” Holden said. “They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”
The attack underscores that many Web sites and servers continue to have poor security and that passwords reuse continue to be a danger, since a credential stolen from one service can be used at other services and even to access corporate networks, if the employee reuses their password and email address.
“Credentials are highly valuable to hackers since they are the new ‘skeleton keys’ for personal and work accounts,” Eric Chiu, president and co-founder of cloud-security firm HyTrust, said in a statement sent to eWEEK. “Hackers are leveraging social engineering, phishing, and other APTs to steal these credentials which they can use to access bank accounts or steal identities.”
Security researchers scanning cyber-criminal forums and rifling through underground servers have increasingly been a source of breach information. Hold Security worked with journalist and security researcher Brian Krebs to discover a major breach in Adobe Systems that resulted in the leak of source code for at least three products and the credentials of more than 38 million users.
In March, the firm stated that it had found 360 million compromised login credentials. It is unclear whether those credentials are included in the latest count, but an independent researcher confirmed the latest haul, according to a report in The New York Times.
“This is an excellent example of how the hackers worked together, pooled resources, and bought (and) sold information to create a massive repository of data,” Jon Heimerl, senior security strategist for managed-security firm Solutionary, said in a statement sent to eWEEK.
“The data was not all gathered from the same group or via the same methods, but by repeated attempts to infiltrate systems in a systematic manner—scan, check, repeat. The data was ultimately the result of hundreds, and thousands of attacks spread across years,” Heimerl wrote.