February 15, 2017 • Levi Gundert
Update: February 16, 2017 at 8:33 PM
Recorded Future is committed to responsible disclosure and transparency between security researchers and affected organizations.
In December 2016, Recorded Future researchers first discovered the criminal activity targeting government organizations. On December 22, 2016, Recorded Future began notifying state agencies that could have been impacted. On December 28, 2016, Recorded Future engaged with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), and on January 5, 2017 with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to facilitate the notification of all affected government targets.
When subsequent university targets were discovered, due to the volume of organizations affected, Recorded Future notified the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) on February 7, 2017 to coordinate notifications.
As a private vendor, Recorded Future relies on law enforcement and information sharing organizations to disseminate threat intelligence and to engage with targeted organizations.
Recorded Future was recently informed that unfortunately not all organizations may have received their respective notifications prior to the publication of this blog post. If you are one of the named organizations requesting additional information around your specific SQL injection (SQLi) details, please email media [at] recordedfuture [dot] com. Details for each case are provided to individual targets upon request, however these details are not included in Recorded Future’s public report to safeguard the security of each organization.
It is important to note that this research was focused on the sale of unauthorized access and not actual exfiltration or publication of any private data. To eliminate confusion around the impact, the title of this blog post has been changed from “Russian-Speaking Hacker Breaches Over 60 Universities and Government Agencies” to “Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies.”
In December 2016, Recorded Future collaborated with law enforcement on the U.S. Election Assistance Commission (EAC) hack and subsequent database sale — committed by an actor Recorded Future named Rasputin.
The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend. Recorded Future continues to monitor Rasputin’s campaigns, which are now sequentially targeting specific industry verticals. These are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).
Rasputin’s latest victims include the following U.S. government and international universities. Recorded Future notified all of the below organizations with relevant breach details.
U.S. University Victims
UK University Victims
U.S. Government Victims (Cities)
U.S. Government Victims (States)
SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists.
Opportunistic threat actors don’t need any specific technical knowledge or skill to find vulnerable websites. Free tools — like Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, etc. — automate the identification and exploitation of vulnerable websites and associated databases through “point and click” menus.
These SQLi scanners help security teams find SQL flaws, but they also help adversaries find the the same flaws.
Rasputin is an outlier in that he’s allegedly using a proprietary SQLi tool that he developed himself. Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access.
A recent example of a SQLi scanner’s results appeared at pastebin.com/Qzjs8iKt (recently deleted, but always available in Recorded Future). Here’s a sample of the file (select details redacted to protect potentially uninformed victims):
Amazingly, SQLi vulnerabilities are simple to prevent through coding best practices. Over 15 years of high-profile data breaches have done little to prevent poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia. Some of the most publicized data breaches were the result of SQLi including large corporations like Heartland Payment Systems, HBGary Federal, Yahoo!, Linkedin, etc.
The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.
Until organizations have an incentive (carrots or sticks) to properly audit internal and vendor code before production use, this problem will continue into the foreseeable future.
Raising awareness among developers is worthwhile and OWASP continues to perform a valuable community service through education, but eradicating SQLi vulnerabilities will likely require stiff penalties for inaction. An opt-in program for partial corporate tax abatement could be a starting point. Program participation should require quarterly code audits by an approved vendor. Robust governance, risk, and compliance (GRC) programs (e.g., financial services companies) already mandate periodic code reviews, but all verticals need some type of incentive regardless of specific industry regulations. Unfortunately, government fines and/or loss from lawsuits may be the only incentives to prioritize code audits.
Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin’s latest victims. Even the most prestigious universities and U.S. government agencies are not immune to SQLi vulnerabilities.
This well established, but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.