Studies have shown that millions of internet-connected machines are vulnerable to cyberattack based on a variety of configuration and other issues. One vulnerability that cybercriminals can use to relatively easily attack systems is called “SQL injection,” meaning that a database server that doesn’t carefully check the data submitted on web forms, for example, can be compromised.
One SQL injection, or SQLi, threat is known as “Rasputin,” referring to a Russian-speaking cybercriminal who has been linked to a number of attacks against various government and private agencies. A recent attack by Rasputin targeted over 60 government and educational institutions, and the solution to such attacks is to change the penalties and incentives related to resolving SQLi issues, according to a recent Recorded Future analysis.
Recorded Future is a threat intelligence company that uses machine learning to reduce online security risks. The company worked with law enforcement in December 2016 to assess the database attack on the United States Election Assistance Commission (EAC) and the eventual sale of information. It’s Recorded Future who gave the actor the name Rasputin, and according to its analysis, Rasputin used SQLi technology to hack into the EAC’s database.
SQLi attacks nothing new, having been around for more than 15 years. Malicious agents don’t need special skills or knowledge to conduct SQLi attacks, given that a number of tools are freely available that automate finding and attacking vulnerable database servers. The tools literally make conducting SQLi attacks a “point and click” affair.
Rasputin is a bit more sophisticated, as Recorded Future reports, having created his own proprietary SQLi tool. The reason for investing the time in creating such a tool and carrying out such attacks is purely financial — there’s a significant market for information that can generate real money for cybercriminals.
Recorded Future concludes that a number of steps need to be taking to respond to SQLi attacks and reduce their prevalence and impact. First is to raise awareness among developers, but that’s not enough. Rather, penalties and incentives need to be created to make it worthwhile to maintain database and web form security. Until the issues are addressed, however, agents like Rasputin will have their own incentives to hack into our data, often with serious repercussions.