Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies

Update: February 16, 2017 at 8:33 PM

Recorded Future is committed to responsible disclosure and transparency between security researchers and affected organizations. In December 2016, Recorded Future researchers first discovered the criminal activity targeting government organizations. On December 22, 2016, Recorded Future began notifying state agencies that could have been impacted. On December 28, 2016, Recorded Future engaged with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), and on January 5, 2017 with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to facilitate the notification of all affected government targets. When subsequent university targets were discovered, due to the volume of organizations affected, Recorded Future notified the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) on February 7, 2017 to coordinate notifications. As a private vendor, Recorded Future relies on law enforcement and information sharing organizations to disseminate threat intelligence and to engage with targeted organizations. Recorded Future was recently informed that unfortunately not all organizations may have received their respective notifications prior to the publication of this blog post. If you are one of the named organizations requesting additional information around your specific SQL injection (SQLi) details, please email media [at] recordedfuture [dot] com. Details for each case are provided to individual targets upon request, however these details are not included in Recorded Future’s public report to safeguard the security of each organization. It is important to note that this research was focused on the sale of unauthorized access and not actual exfiltration or publication of any private data. To eliminate confusion around the impact, the title of this blog post has been changed from “Russian-Speaking Hacker Breaches Over 60 Universities and Government Agencies” to “Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies.”

Key Takeaways Rasputin’s latest victims include over 60 (combined total) prominent universities and federal, state, and local U.S. government agencies.

Rasputin, a Russian-speaking and notorious financially-motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool.

In November 2016, Rasputin penetrated the U.S. Election Assistance Commission (EAC) via SQLi.

15 plus years of SQLi attacks, and going strong; this prolific vulnerability remains one of the most popular exploits for opportunistic actors due to its ongoing success rate.

Economic incentives are required to change the behavior that facilitates SQLi vulnerabilities either through penalties established by government regulations (sticks) or tax abatement incentives (carrots) for compliance.

In December 2016, Recorded Future collaborated with law enforcement on the U.S. Election Assistance Commission (EAC) hack and subsequent database sale — committed by an actor Recorded Future named Rasputin.

The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend. Recorded Future continues to monitor Rasputin’s campaigns, which are now sequentially targeting specific industry verticals. These are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).

Rasputin’s latest victims include the following U.S. government and international universities. Recorded Future notified all of the below organizations with relevant breach details.

U.S. University Victims

Cornell University

VirginiaTech

University of Maryland, Baltimore County

University of Pittsburgh

New York University

Rice University

University of California, Los Angeles

Eden Theological Seminary

Arizona State University

NC State University

Purdue University

Atlantic Cape Community College

University of the Cumberlands

Oregon College of Oriental Medicine

University of Delhi

Humboldt State University

The University of North Carolina at Greensboro

University of Mount Olive

Michigan State University

Rochester Institute of Technology

University of Tennessee

St. Cloud State University

University of Arizona

University at Buffalo

University of Washington

UK University Victims

University of Cambridge

University of Oxford

Architectural Association School of Architecture

University of Chester

University of Leeds

Coleg Gwent

University of Glasgow

University of the Highlands and Islands

University of the West of England

The University of Edinburgh

U.S. Government Victims (Cities)

City of Springfield, Massachusetts

City of Pittsburgh, Pennsylvania

Town of Newtown, Connecticut

City of Alexandria, Virginia

City of Camden, Arkansas

City of Sturgis, Michigan

U.S. Government Victims (States)

Texas Board of Veterinary Medical Examiners

Oklahoma State Department of Education

The South Carolina Public Employee Benefit Authority

Rhode Island Department of Education

District Columbia Office of Contracting and Procurement

District Columbia Office of the Chief Financial Officer

Alaska Department of Natural Resources

County of Santa Rosa, Florida

York County, Pennsylvania

Virginia Department of Environmental Quality

State of Oklahoma

Alaska Division of Retirement and Benefits

Louisiana Department of Education

Madison County, Alabama

Washington State Arts Commission

West Virginia Department of Environmental Protection

Federal Agencies

Postal Regulatory Commission

U.S. Department of Housing and Urban Development

Health Resources and Services Administration

National Oceanic and Atmospheric Administration

Other

Fermi National Accelerator Laboratory

Child Welfare Information Gateway

What’s the Deal With SQLi?

SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists.

Opportunistic threat actors don’t need any specific technical knowledge or skill to find vulnerable websites. Free tools — like Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, etc. — automate the identification and exploitation of vulnerable websites and associated databases through “point and click” menus.

These SQLi scanners help security teams find SQL flaws, but they also help adversaries find the the same flaws.

Rasputin is an outlier in that he’s allegedly using a proprietary SQLi tool that he developed himself. Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access.

A recent example of a SQLi scanner’s results appeared at pastebin.com/Qzjs8iKt (recently deleted, but always available in Recorded Future). Here’s a sample of the file (select details redacted to protect potentially uninformed victims):

Amazingly, SQLi vulnerabilities are simple to prevent through coding best practices. Over 15 years of high-profile data breaches have done little to prevent poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia. Some of the most publicized data breaches were the result of SQLi including large corporations like Heartland Payment Systems, HBGary Federal, Yahoo!, Linkedin, etc.

The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.

Where Do We Go From Here?

Until organizations have an incentive (carrots or sticks) to properly audit internal and vendor code before production use, this problem will continue into the foreseeable future.

Raising awareness among developers is worthwhile and OWASP continues to perform a valuable community service through education, but eradicating SQLi vulnerabilities will likely require stiff penalties for inaction. An opt-in program for partial corporate tax abatement could be a starting point. Program participation should require quarterly code audits by an approved vendor. Robust governance, risk, and compliance (GRC) programs (e.g., financial services companies) already mandate periodic code reviews, but all verticals need some type of incentive regardless of specific industry regulations. Unfortunately, government fines and/or loss from lawsuits may be the only incentives to prioritize code audits.

Conclusion

Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin’s latest victims. Even the most prestigious universities and U.S. government agencies are not immune to SQLi vulnerabilities.

This well established, but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.