Thought leadership. threat analysis, news and alerts.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
Steve E. Driz, I.S.P., ITCP