A prolific Russian-speaking hacker has been systematically locating and exploiting SQLi vulnerabilities in the websites of prominent universities and US government agencies, to sell unauthorized access to the highest bidder, researchers have warned.
Levi Gundert, vice president of threat intelligence at Recorded Future, claimed in a blog post that the firm first came across the campaign in December.
Following an attack on the US Election Assistance Commission in the same month, ‘Rasputin’ has subsequently targeted over 60 universities and federal, state, and local US government agencies.
The targets are being chosen because they’re thought to have fewer effective defensive measures in place and high value data, including PII.
Victims include the universities of Oxford and Cambridge as well as the US Postal Regulatory Commission and National Oceanic and Atmospheric Administration.
Rasputin is said to be using a homegrown SQLi tool to scan for vulnerabilities in these sites and then sell unauthorized access.
“SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists,” explained Gundert.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access.”
SQLi flaws are easy to remediate through better vetting of code before production use, but many organizations are still failing to get the basics right, as evidenced by Rasputin’s success.
Gundert suggested stiff government penalties for inaction could focus minds on the problem.
He urged any named organizations to get in touch if they want further details of the SQLi flaws.