Threat Management, Vulnerability Management

Hackers disclose SQL injection of Barracuda website

Chalk up Barracuda Networks as the latest information security firm to fall victim to a cyberattack.

Hackers, apparently from Malaysia, revealed Monday that they exploited an SQL injection vulnerability on Barracuda's website to raid various databases and hijack the names and contact information of partners, customers and Barracuda employees.

In the post on HMSec Full Disclosure, the hackers published the details of some of the victims. They included partners such as Boston Computers & Peripherals, end-users such as Allied Fire & Safety and Barracuda employees who have access to the email and web security firm's content management system.

Also posted were the passwords, which, according to security experts, appeared to be encrypted by the oft-criticized MD5 hash algorithm, for some of the Barracuda employees and partners. It is not clear if the passwords were "salted," which makes them more difficult to crack.

Barracuda joins RSA, Comodo and HBGary as the fourth high-profile security firm that hackers successfully infiltrated this year. The HBGary compromise also was the result of an SQL injection hole.

"It looks like they [Barracuda] were targeted," Jeremiah Grossman, founder and CTO of WhiteHat Security, a website risk management vendor, told on Monday. "You don't by accident extract this kind of data and post it to a blog."

Grossman said SQL injection flaws, a known issue within the industry for nearly 15 years, are "for all intents and purposes, a solved problem."

But sometimes discovering the vulnerabilities can be complex given the scale of a web presence.

"Maybe they just slipped up," Grossman said. "It happens. It's happened to us. We'll see how they respond. That should be really telling."

He added that the hackers may have used their initial foothold to gain access to other, more sensitive parts, of the Barracuda network, similar to the tactic taken by the Heartland Payment Systems' attackers to reach credit card data.

A Barracuda spokeswoman declined comment on Monday afternoon as the company investigates.

UPDATE 10:14 P.M. EST: Barracuda has released a blog post detailing the attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.