Rasputin whips out large intimidating tool, penetrates uni, city, govt databases – new claim
Ra, Ra Rasputin. SQL injection is his thing
A Russian-speaking miscreant dubbed "Rasputin," who potentially hacked into the US Election Assistance Commission and sold access to its systems, has struck again, it is claimed.
Rasputin has allegedly infiltrated database servers within 60 organizations, US government agencies, and international universities. These victims include top universities NYU and Cornell in the US, and Oxford and Cambridge in the UK; the US city governments of Springfield, MA, Pittsburgh, PA, and Alexandria, VA; US state government of Oklahoma; the Fermi National Accelerator Laboratory; and the US Department of Housing and Urban Development.
The cyber-fiend has also been selling access to these vulnerable systems since December, claims Recorded Future, a computer security threat intelligence biz. The company, based in Massachusetts, says it has alerted the aforementioned victims after monitoring Rasputin's little crime spree.
Apparently, Rasputin – named after the legendarily well-endowed mad monk – used a "proprietary SQL injection (SQLi) tool" to penetrate the databases. These data stores likely contain significant numbers of users and their personal information, which can be sold on to criminals for profit.
SQL injection has been around since databases first appeared on the internet. When a web app allows anyone to pass data straight into database queries without that input being rendered safe through sanitization and filtering, that's a SQLi vulnerability right there. This kind of bug can be exploited to command the database to do things – such as cough up all of its contents – that the web application should prevent from happening.
El Reg has sometimes likened this process to playing a Jedi mind trick on computers, instructing them to do something they're not supposed to do.
SQLi flaws are too easy to exploit: you usually just need to twiddle the parameters in a URL to find a chink in the app's armor, and then exploit this to get into backend databases. Free tools – such as Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, and so on – automate the identification and exploitation of vulnerable websites, turning hacking into a "point and click" process that's not reliant on any coding skills.
Rasputin is apparently using a custom tool he or she may have developed himself, marking the miscreant out as potentially more skilled than your average script kiddie. The villain could have bought the software off a real hacker, of course.
"Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin's latest victims," concludes Recorded Future in a statement. "Even the most prestigious universities and US government agencies are not immune to SQLi vulnerabilities.
"This well-established but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government's penchant for employing sticks to modify behavior, perhaps it's time to offer financial carrots to address and fully eradicate this issue."
The Register is also in the process of contacting the dozens of attacked organizations named by Recorded Future. Finally, please, do us all a favor, and audit your code for exploitable SQLi bugs. ®