Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies
February 15, 2017 • Levi Gundert
Update: February 16, 2017 at 8:33 PM
Recorded Future is committed to responsible disclosure and transparency between security researchers and affected organizations.
In December 2016, Recorded Future researchers first discovered the criminal activity targeting government organizations. On December 22, 2016, Recorded Future began notifying state agencies that could have been impacted. On December 28, 2016, Recorded Future engaged with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), and on January 5, 2017 with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to facilitate the notification of all affected government targets.
When subsequent university targets were discovered, due to the volume of organizations affected, Recorded Future notified the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) on February 7, 2017 to coordinate notifications.
As a private vendor, Recorded Future relies on law enforcement and information sharing organizations to disseminate threat intelligence and to engage with targeted organizations.
Recorded Future was recently informed that unfortunately not all organizations may have received their respective notifications prior to the publication of this blog post. If you are one of the named organizations requesting additional information around your specific SQL injection (SQLi) details, please email media [at] recordedfuture [dot] com. Details for each case are provided to individual targets upon request, however these details are not included in Recorded Future’s public report to safeguard the security of each organization.
It is important to note that this research was focused on the sale of unauthorized access and not actual exfiltration or publication of any private data. To eliminate confusion around the impact, the title of this blog post has been changed from “Russian-Speaking Hacker Breaches Over 60 Universities and Government Agencies” to “Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies.”
- Rasputin’s latest victims include over 60 (combined total) prominent universities and federal, state, and local U.S. government agencies.
- Rasputin, a Russian-speaking and notorious financially-motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool.
- In November 2016, Rasputin penetrated the U.S. Election Assistance Commission (EAC) via SQLi.
- 15 plus years of SQLi attacks, and going strong; this prolific vulnerability remains one of the most popular exploits for opportunistic actors due to its ongoing success rate.
- Economic incentives are required to change the behavior that facilitates SQLi vulnerabilities either through penalties established by government regulations (sticks) or tax abatement incentives (carrots) for compliance.
In December 2016, Recorded Future collaborated with law enforcement on the U.S. Election Assistance Commission (EAC) hack and subsequent database sale — committed by an actor Recorded Future named Rasputin.
The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend. Recorded Future continues to monitor Rasputin’s campaigns, which are now sequentially targeting specific industry verticals. These are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).
Rasputin’s latest victims include the following U.S. government and international universities. Recorded Future notified all of the below organizations with relevant breach details.
U.S. University Victims
- Cornell University
- University of Maryland, Baltimore County
- University of Pittsburgh
- New York University
- Rice University
- University of California, Los Angeles
- Eden Theological Seminary
- Arizona State University
- NC State University
- Purdue University
- Atlantic Cape Community College
- University of the Cumberlands
- Oregon College of Oriental Medicine
- University of Delhi
- Humboldt State University
- The University of North Carolina at Greensboro
- University of Mount Olive
- Michigan State University
- Rochester Institute of Technology
- University of Tennessee
- St. Cloud State University
- University of Arizona
- University at Buffalo
- University of Washington
UK University Victims
- University of Cambridge
- University of Oxford
- Architectural Association School of Architecture
- University of Chester
- University of Leeds
- Coleg Gwent
- University of Glasgow
- University of the Highlands and Islands
- University of the West of England
- The University of Edinburgh
U.S. Government Victims (Cities)
- City of Springfield, Massachusetts
- City of Pittsburgh, Pennsylvania
- Town of Newtown, Connecticut
- City of Alexandria, Virginia
- City of Camden, Arkansas
- City of Sturgis, Michigan
U.S. Government Victims (States)
- Texas Board of Veterinary Medical Examiners
- Oklahoma State Department of Education
- The South Carolina Public Employee Benefit Authority
- Rhode Island Department of Education
- District Columbia Office of Contracting and Procurement
- District Columbia Office of the Chief Financial Officer
- Alaska Department of Natural Resources
- County of Santa Rosa, Florida
- York County, Pennsylvania
- Virginia Department of Environmental Quality
- State of Oklahoma
- Alaska Division of Retirement and Benefits
- Louisiana Department of Education
- Madison County, Alabama
- Washington State Arts Commission
- West Virginia Department of Environmental Protection
- Postal Regulatory Commission
- U.S. Department of Housing and Urban Development
- Health Resources and Services Administration
- National Oceanic and Atmospheric Administration
- Fermi National Accelerator Laboratory
- Child Welfare Information Gateway
What’s the Deal With SQLi?
SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists.
Opportunistic threat actors don’t need any specific technical knowledge or skill to find vulnerable websites. Free tools — like Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, etc. — automate the identification and exploitation of vulnerable websites and associated databases through “point and click” menus.
These SQLi scanners help security teams find SQL flaws, but they also help adversaries find the the same flaws.
Rasputin is an outlier in that he’s allegedly using a proprietary SQLi tool that he developed himself. Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access.
A recent example of a SQLi scanner’s results appeared at pastebin.com/Qzjs8iKt (recently deleted, but always available in Recorded Future). Here’s a sample of the file (select details redacted to protect potentially uninformed victims):
Amazingly, SQLi vulnerabilities are simple to prevent through coding best practices. Over 15 years of high-profile data breaches have done little to prevent poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia. Some of the most publicized data breaches were the result of SQLi including large corporations like Heartland Payment Systems, HBGary Federal, Yahoo!, Linkedin, etc.
The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.
Where Do We Go From Here?
Until organizations have an incentive (carrots or sticks) to properly audit internal and vendor code before production use, this problem will continue into the foreseeable future.
Raising awareness among developers is worthwhile and OWASP continues to perform a valuable community service through education, but eradicating SQLi vulnerabilities will likely require stiff penalties for inaction. An opt-in program for partial corporate tax abatement could be a starting point. Program participation should require quarterly code audits by an approved vendor. Robust governance, risk, and compliance (GRC) programs (e.g., financial services companies) already mandate periodic code reviews, but all verticals need some type of incentive regardless of specific industry regulations. Unfortunately, government fines and/or loss from lawsuits may be the only incentives to prioritize code audits.
Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin’s latest victims. Even the most prestigious universities and U.S. government agencies are not immune to SQLi vulnerabilities.
This well established, but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.