Web security giant Barracuda Networks, acknowledged Monday that a hacker used a SQL injection attack to gain access to its corporate website.
The hacker made off with Barracuda encrypted passwords and email addresses of channel partners, sales leads and some Barracuda employees, according to Michael Perone, Barracuda’s executive vice president and chief marketing officer. Most of the data consisted of names and email addresses, Perone wrote in the Barracuda Labs blog.
“Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.”
Perone acknowledged that the attacker bypassed the Barracuda Web application firewall that was in place to protect the website. The firewall was placed into monitoring mode for maintenance on April 8. A day later, an automated script began crawling the website looking for vulnerabilities.
“After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market,” Perone said.
The customer case study database shared the SQL database used for marketing programs which contained the names and email addresses. “The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later,” Perone wrote.
Most of the exposed data were email addresses associated with sales leads for Barracuda channel partners. Some of the contents included email addresses and hashed passwords of Barracuda employees authorized to manage the website. Perone said the passwords were also “salted” preventing an attacker from using a tool to crack the hashing algorithm.
The website breach was reported Monday by the Register. The hacker, who called himself Fdf, claimed responsibility for the Barracuda attack, posting the stolen information on his website Monday.
Hackers have taken a keen interest in targeting security firms in 2011. A similar website breach occurred to security giant McAfee. Cross-site scripting errors were to blame. More serious breaches occurred to other security vendors. Last month, RSA, the security division of EMC Corp. announced a breach of its systems resulting in the compromise of its SecurID two-factor authentication products. In February hackers infiltrated HBGary Federal, bilking the firm of thousands of email messages.
Security experts from across the spectrum say that the breaches are an indication that no one is immune to an attack and that no single security technology is a silver bullet.]]>
Writing in the SANS Institute’s Internet Storm Center Diary, Zdrnja highlights some common security mistakes made by HBGary Federal that his team frequently come across during penetration tests. These are mistakes that are frequently mentioned by security experts, repeatedly mentioned in reports in nearly every security media outlet and highlighted by security education firms.
SQL injection vulnerabilities:
“HBGary unfortunately had a vulnerable Web application which allowed attackers to retrieve information directly from the back-end database – this information included MD5 hashes of passwords of users, that had access to the administration web interface.”
SearchSecurity has a SQL injection protection Learning Guide on how to protect your website from SQL injection errors.
Manual inspection has given way to some pretty popular automated tools that can detect these common errors (Web application scanners). In addition automated toolkits have made it easy for cybercriminals to find and exploit SQL injection errors. There are security technologies that can defend against these automated attacks – a properly deployed and tuned Web application firewall (WAF) would do the trick. I say properly deployed, because I hear about many companies installing a WAF for PCI compliance, but failing to really use it for its intended purpose.
Poor authentication processes:
HBGary Federal used the same passwords to access different systems. This made it easier for members of the “Anonymous” group to access connected systems and ultimately steal email messages and other files. In addition, the passwords were used for other – outside – social networks, such as Twitter and LinkedIN.
There are a plethora of two-factor authentication options, one time password tokens and other methods that can be used by firms to keep systems locked down and make it more difficult for fraudsters to access systems.
While it’s understandable that some firms don’t need the added secure password measures and wouldn’t want to disrupt business processes with them, it’s painfully troubling that firms that work with government agencies or deal with other sensitive data clearly aren’t deploying these authentication measures. Safeguarding intellectual property – the lifeblood of every company – begins with the most basic security steps. Requiring some kind of hardened password protection to gain access to critical systems should be part of the foundation of any security program.
“The attackers used social engineering to attack a system administrator of another system (rootkit dot com) – an obvious weak spot since he/she holds “all the keys to the kingdom” … The attackers sent a carefully crafted e-mail, asking the administrator to open SSH on a weird port and set the root password to something he knows…”
That kind of change management, according to Zdrnja, is a big NO NO, but is probably all too common at enterprises.
When the administrator opened SSH and changed the password, it was game over.
More than 132,000 websites, many of them small and void of any Web administrators, are being plucked off one by one by an automated SQL injection attack that is detecting website errors and then injecting malicious scripts to turn the sites into an attack platform.
The attacks, first detected in November by researchers at Web security vendor ScanSafe, are injecting malicious iFrames that install a backdoor Trojan. The Trojan uses a malicious domain, 318x, to install malware including the Buzuz backdoor Trojan, said Mary Landesman, senior researcher at ScanSafe. The Trojans, typically IRC-based have been used much more in website attacks, security experts say. IRC channels, the traditional method of channeling attacks is shrinking as attackers turn to automated tools that funnel more efficient ways to carry out attacks.
Over a dozen other script files are called through a convoluted chain of iframes and src references largely dependent on the browser type, version of Flash, and related criteria. The attack appears to be a work-in-progress; as we’ve been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones are being introduced.
Once the websites are compromised and the drive-by attacks are in place, visitors will typically have their machines scanned for any Web-based software that isn’t fully patched, such as the Adobe Flash Player or Microsoft Internet Explorer browser components, Landesman said. As with many of these attacks, the Landesman said they are used to steal credit card data or lift victim bank login credentials.
A later search found that nearly 300,000 websites may have been hit by the attack. It’s important to note that the attacks target any flawed website. Administrators overseeing larger websites, should pay close attention to anomalies and scan for any errors that may be used for site compromises.]]>