Rasputin, a Russian hacker who in December 2016 penetrated the network of the U.S. Electoral Assistance Commission and then put its database up for sale on the underground market, has been detected continuing his nefarious activities.
New research has just been released from Recorded Future that confirms the hacker hit 60 organizations, including a number of universities (NYU, Cornell, Oxford, Cambridge), city governments (Springfield, Mass.; Pittsburgh, Pa., Alexandria, Va.), state governments (Oklahoma), and federal agencies (U.S. Department of Housing and Urban Development). He has been selling access to all of these systems since December 2016, the report found.
The Russian hacker, dubbed Rasputin by Recorded Future, is already notorious for his incursion into the EAC. He used similar strategies in his latest hacks, namely locating and exploiting vulnerable web applications via a proprietary SQL injection (SQLi) tool.
This strategy, the report explained, has been used for 15 years as the flaw is technically easy and provides a high success rate for attackers. Once it uncovered Rasputin's incursion into the EAC, Recorded Future continued monitoring his campaigns which it saw were targeting a number of specific industry verticals. It determined that the miscreant was targeting those verticals based on "the organization's perceived investment in security controls and the respective compromised data value." As well, the databases of these entities are likely targets owing to the quantity of personally identifiable information (PII) they each contain, the study said.
The latest targets included dozens of prominent universities in the U.S. and U.K., as well as a number of state and federal agencies. All have been notified by Recorded Future that they were targeted.
"SQL injection has been around since databases first appeared on the internet," the report explained. "When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists."
A number of free tools are readily available to lure amateur hackers. A few clicks through "point and click" menus and the newbie attacker can have their search for vulnerable websites automated and their exploitation begun. While white hat hackers make use of many of these tools to locate SQL flaws in order to issue alerts, at the same time the tools can be put to use by those out to exploit the flaws.
Rasputin, the report stated, developed his own propriertary SQLi tool, a clear sign of his technical sophistication. Unfortunately, cloaked in semi-anonymity, he can use his skills to hit databases whose worth on the black market is highly valued. The irony is, the report stated, these SQLi flaws are easily remedied with coding best practices.
The solution, the report said, "may require expensive projects to improve or replace vulnerable systems." Unfortunately, it added, many of these initiatives are put off owing to budget restrictions, allowing the vulnerabilities to remain exposed.
The challenge is to impress upon organizations the need for proper audits of internal and vendor code before it goes into production, perhaps with financial incentives, the Recorded Future report stated.
"Raising awareness among developers is worthwhile and OWASP continues to perform a valuable community service through education, but eradicating SQLi vulnerabilities will likely require stiff penalties for inaction," the report concluded.