A hacker tied to the November 2016 penetration of the US Election Assistance Commission and subsequent database sale has successfully targeted 60+ government agencies and universities by leveraging the same attack method: SQL injection.
According to a report by Recorded Future, whose researchers scour the dark web for threat intelligence, the hacker uses a proprietary SQLi tool to gain access to the targets’ databases and then sells access to them to other cyber crooks.
The firm has dubbed the Russian-speaking hacker “Rasputin”, and has been following his exploits for a while now.
Among his latest targets were:
- Two dozen US universities (including Virginia Tech, Cornell University, the Rochester Institute of Technology, and Purdue University),
- Ten UK universities (Cambridge, Oxford, Edinburgh – among others), and
- A wide variety of US government institutions at the city, state, and federal level (including the Oklahoma State Department of Education, District Columbia Office of the Chief Financial Officer, and the US Department of Housing and Urban Development).
“North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access,” Levi Gundert, the company’s VP of Threat Intelligence pointed out.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases.”
All of the aforementioned institutions have been notified of the situation, and have hopefully moved to block unauthorized access to their assets.
As Gundert noted, the problem (SQLi vulnerabilities) and solution (implementing coding best practices) are well understood. But solutions may require expensive projects to improve or replace vulnerable systems, and companies and organizations often don’t have or are loath to spend money on fixing that particular issue.
“Until organizations have an incentive (carrots or sticks) to properly audit internal and vendor code before production use, this problem will continue into the foreseeable future,” he says.
“Raising awareness among developers is worthwhile and OWASP continues to perform a valuable community service through education, but eradicating SQLi vulnerabilities will likely require stiff penalties for inaction.”
His idea of a carrot is “an opt-in program for partial corporate tax abatement” for those companies that employ regular code audits and other best practices. And for those who respond more to the stick, fines and/or loss from lawsuits might do the trick.