Inside Cyber Warfare - Jeffrey Carr [84]
StopGeorgia.ru Malware Discussions
A significant portion of the discussion on the StopGeorgia.ru forum was dedicated to traditional (distributed denial of service) DDoS tactics and tools, but more interesting tactics discussed there focused on abusing application-level vulnerabilities in order to take advantage of CPU-intensive stored SQL procedures.
By abusing CPU-intensive application-level vulnerabilities (such as with SQL injection), Georgian information systems can be rendered inoperative using a small number of attacking machines. Whereas traditional DDoS attacks against robust websites can require thousands of bots simultaneously attacking the victim server, exploitation of SQL injection vulnerabilities require only a handful of attacking machines to achieve the same effect.
The discovery and exploitation of these application-level vulnerabilities shows moderate technical sophistication, but more importantly, it shows planning, organization, targeted reconnaissance, and evolution of attacks.
The introduction of SQL injection attacks in conjunction with DoS attacks is alarming for many reasons:
SQL injection attacks could indicate that all data stored in the backend databases could have been pilfered or altered. This information could be used as a foundation for further attacks and intelligence gathering against related web applications.
Attackers who have pilfered the backend databases via SQL injection could have access to legitimate username and password combinations, allowing them to masquerade as legitimate users, providing a sustained source for intelligence gathering. This is especially alarming for .gov.ge systems, where password reuse or other vulnerabilities could lead to the compromise of other sensitive systems or loss of sensitive information.
In some cases, SQL injection attacks can be used to compromise not only information stored in backend databases but the machine hosting the database. This represents a compromise of an organization’s internal infrastructure.
Once the underlying system is compromised, it can be used as a stepping stone for further attacks against an organization’s internal network. Considering the poor state of internal network security for most organizations, a moderately sophisticated attacker could use a compromised database server to gain access to a considerable amount of internal information. Once again, this is especially alarming for .gov.ge systems or applications that could have access to other sensitive systems.
Finally, detection of a targeted SQL injection attack designed to pilfer data or compromise the underlying system during a rigorous, traditional DDoS attack would be extremely difficult to detect, especially if it included SQL injection attacks designed to cause a DoS condition.
SQL injection, blind SQL injection, and using BENCHMARK
SQL injection is an attack technique that takes advantage of poor secure-application coding practices. If an application does not provide the correct validation for user-supplied input parameters, an attacker could embed SQL commands within the parameters passed from the web application to the backend database.
The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server, using the web application as the delivery mechanism. SQL injection is a critical application issue and typically results in the loss of all the data stored within the database and a compromise of the system housing the database. Additional information on generic SQL injection attacks can be found at http://www.owasp.org/index.php/SQL_injection.
If a hacker discovers a SQL injection vulnerability on a website, but the SQL injection does not return any readable data, this is known as “blind” SQL injection. The blind SQL injection vulnerability executes an attacker-controlled SQL query on the backend