SQL injection: The bug that seemingly can’t be squashed

If you’re in a hands-on cybersecurity role that requires some familiarity with code, chances are good that you’ve had to think about SQL injection over and over (and over) again. It’s a common vulnerability that – despite being easily remedied – continues to plague our software and, if left undetected before deployment, provides a small window of opportunity to would-be attackers. December 2020 marked SQL injection’s 22nd birthday (of sorts). Despite this vulnerability being old … More

The post SQL injection: The bug that seemingly can’t be squashed appeared first on Help Net Security.

Surging CMS attacks keep SQL injections on the radar during the next normal

Every year, millions of websites across the world fall victim to malware attacks that are designed to gain access to the site’s backend without the administrator’s knowledge in order to steal sensitive data or cause damage, usually for financial gain. This year, cyberattacks have been on the rise during the pandemic, leaving businesses to wonder whether or not things will settle down whenever the COVID-19 situation begins to wane, or if this is the next normal for the indefinite future.

Attacks targeting popular content management system (CMS) platforms like WordPress, Joomla, Drupal, and noneCMS have risen in 2020. In fact, according to the 2020 Global Threat Intelligence Report from Dimension Data, these CMS platforms alone were the target of approximately 20% of all observed attacks globally. SQL injection vulnerability in Joomla was found to be the most commonly exploited by attackers.

In this article, we’ll take a look at security vulnerabilities in the context of CMS platforms and the implications of SQL injection attacks on your website.

How CMS vulnerabilities have evolved over the years

CMS vulnerabilities affect your website’s security as well as the content management system you use. Some of the common reasons for CMS vulnerabilities include privilege escalation exploits, social engineering attacks, and cross-site scripting.

  • Privilege escalation exploits involve making use of security flaws, known bugs, or a lack of configuration oversight in an application or an operating system to gain full access to resources.
  • Social engineering attacks on CMSs include a wide variety of malicious activities that are used to bypass technical measures implemented to protect the process of content management.
  • Cross-site scripting (XSS) utilizes security flaws in client-side execution environments as well as vulnerabilities in the backend, such as the lack of verification of content and parameters to disclose sensitive data, allowing attackers to take over the system.

Most security flaws linked to CMS platforms aren’t limited to web content management but present in server environments, web technologies, and protocols.

Cross-site scripting

Cross-site scripting targets the client environment and makes use of the server side’s low parameter and content sanitization. As a result, the attacker can inject malicious code and arbitrary commands into the pages users view.

This security flaw differs from code execution vulnerabilities, since the injected code is run on the client-server and not on the server-side. This delays the technical impact of the threat. However, when executed effectively, it can result in serious data and privacy violations such as the manipulation of databases and stored variables, including the manipulation of the actual content served.

This type of web application security vulnerability commonly targets popular CMS platforms, as they rely heavily on the internet in their technical architecture. Alternatively, this threat can be easily neutralized by disabling the client-side execution environment.

Open-source CMSs such as WordPress and Drupal, which rely heavily on the client-side environment, are more prone to client-side attacks as compared to traditional corporate-based frameworks that exhibit server-side remote vulnerabilities. The growth of third-party CMS plugins has also contributed to cross-site scripting becoming a top security vulnerability for CMS platforms.

Arbitrary remote code execution

Sending malicious commands to a web application can result in disclosure of users’ private data, and the attacker can gain access to a user’s computer. This method of injecting code within the same local execution infrastructure is relatively easy when compared to remote injection, which requires more specialized tools and skills.

Here, the remote hacker only needs a security flaw that offers a small window to send commands to the remote execution environment, enabling the malicious code to run without any evaluation.

As a result, attackers can create a remote entrance to reach the target environment, and oftentimes the administrator has no knowledge of the system being compromised.

Most of the time, attackers make use of remote code execution security flaws that are on the web surface or within different narrow-use and specific ports and protocols. When a CMS is attacked, the remote code execution flaw often results from a connected platform such as the .NET environment, PHP scripting language, or file-sharing service or database that has remote code execution vulnerabilities.

Instead of targeting the remote infrastructure, sometimes threat actors change their tactics by initiating remote code execution attacks within the client environment. For example, a malicious email may have an attachment containing a specially crafted infected file. The file containing the malicious code is executed on the client’s infrastructure. It can, for example, enable the attacker to install programs or create new accounts with full user rights.

In both types of attacks, the malicious code can be the same. However, the method of delivery is different. This is why it’s vital for CMS admins to secure their platforms and not allow attackers to gain entry to the end-users’ systems. As of 2017, arbitrary remote code execution has emerged as a top CMS security vulnerability. Several security flaws have been detected in Magento’s CMS, including arbitrary code execution.

SQL injection and the CMS

These days, most CMS platforms have an underlying SQL database backend. These backend databases implement application-specific authentication instead of user-level credentials. As a result, when malicious code is introduced to a web layer in the form of an SQL injection, a breach in data security affects the entire database.

As with other code injection threats, an SQL injection is able to send arbitrary SQL code straight to the database layer. In most cases, a lack of parameter sanitization is responsible for this type of security vulnerability, as it allows the threat actor to send direct database commands and modify the database directly.

SQL injections have been around for a long time now still, they remain one of the most common CMS security flaws. With time, users have discovered new injection points. Performing parameter value sanitization for input value processing is a common way to stop SQL injection attacks.

Some of the most popular CMS platforms that are known to have SQL injection vulnerabilities include WordPress, Joomla and Drupal. According to Sucuri’s 2019 Website Threat Research Report, over 2 million SQL injection attack attempts were blocked by the Sucuri Firewall, accounting for 1.55% of all blocked attack attempts.

Consequences of SQL injections on CMS platforms

The whole point of a CMS platform is to connect with a database that stores content, including both structured information as well as data relating to registered users with different roles.

According to Sonicwall, there has been a considerable rise in web app attacks executed via SQL injection. Web app attacks, which are commonly executed via SQL injection, are down from last year but have been trending dangerously upward since February, with 2.1 million attacks rising steadily to 4.9 million attacks in June.

surging CMS attacks

In an SQL injection attack, the attacker sends SQL input into an entry field for execution or to gain access to a web application without the owner’s permission or knowledge. This allows the malicious user to view, insert, modify, or delete data stored in the web application’s database tables. Most attackers use SQL injections to exploit known security vulnerabilities in plugins and applications like PHP.

Here’s an example of how an SQL injection works. Suppose a web application with text input asks the user to enter their user id for identification:

SELECT * FROM Users WHERE UserId = " + txtUserId

The input entered by the user “202 or 1=1” where 202 is the wrong user id. This changes the server code as follows:

SELECT * FROM Users WHERE UserId = 202 or 1=1

Since the condition 1=1 always holds true, every entry in the Users table of the database is returned by this statement. Now, if your code was written to select the first row in SQL, this could potentially compromise data stored in multiple database tables.

Let’s take a look at some of the consequences of SQL injection attacks in CMS platforms:

  • No need for authentication for a successful login: The threat actor isn’t asked for identification before logging into your site, giving open access to the site’s resources.
  • Setting up redirects: This involves the attacker placing malicious redirecting links on your site pages, which direct your site’s visitors to websites where they get scammed or their system gets infected with malware.
  • Spamming: Attackers use spamming techniques to monetize fraudulent products on your site. They may infect your applications by allowing them to directly communicate with your site’s users.
  • DDoS attacks: Attackers use DDoS attacks to disrupt your website services temporarily or indefinitely, resulting in serious financial damages.

There are various ways you can prevent injection attacks. The most common measures include:

  • Deploying web application security: A web application firewall (WAF) is a must-have security solution for any live website or application today. A WAF prevents malicious traffic and processes from interacting with your CMS platform.
  • Use input validation: Most popular CMS platforms already check the data being submitted through fields and forms. But in case you will be doing customizations that involve adding fields, make sure you have scripts that screens all data sent by users.
  • Secure access to your database. It’s best to create a unique SQL user with a strong password for each of your CMS installations. Avoid providing root level access by limiting the privileges of the user. WordPress, for example, can work with just SELECT, INSERT, UPDATE, CREATE, DELETE, DROP, and ALTER privileges.
  • Keep everything updated. CMS platform and plugin developers also maintain their code bases for security. Many of their releases are meant to address bugs and vulnerabilities. If your CMS platform notifies you of an update, check if these include bug and security fixes. Update accordingly.

Conclusion

Millions of websites fall victim to malware attacks each year and result in huge financial losses. However, website owners can successfully prevent or minimize the impact of such attacks by proactively fixing vulnerabilities (such as SQL injection vulnerabilities) in their CMS.

There are several measures you can take to prevent SQL injection attacks but they should be implemented as part of a cohesive strategy. By deploying the right security tools and continuously testing your website and fixing any apparent flaws, you can stay ahead of attackers who try to exploit CMS vulnerabilities.

Evasive malware increasing, evading signature-based antivirus solutions

Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions.

evasive malware increasing

This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception. Companies of all sizes need to deploy advanced anti-malware solutions that can detect and block these attacks.

In addition, widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017 have been detected. This ‘dropper’ exploit was number seven on WatchGuard’s top ten malware list and heavily targeted the UK, Germany and New Zealand. It downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was used in phishing attacks in February 2020 that preyed on early fears of the coronavirus outbreak.

Businesses of all sizes need to invest in multiple layers of security

“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, CTO at WatchGuard.

“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”

Other key findings from the Q4 2019 report include:

  • Mac adware jumps in popularity in Q4 – One of the top compromised websites detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a MalwareBytes report from February 2020 that showed a rise in Mac malware, particularly adware.
  • SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.
  • Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.

WordPress and Apache Struts weaponized vulnerabilities on the rise

Vulnerabilities in leading web and application frameworks, if exploited, can have devastating effects like the Equifax breach which affected 147 million people, according to RiskSense.

weaponized vulnerabilities

Among the report’s key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Most weaponized vulnerabilities

These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years.

WordPress faced a wide variety of issues, but XSS was the most common problem, while input validation was the biggest risk for the Apache Struts framework. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

2019 vulnerabilities are down, but weaponization is up

While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the National Vulnerability Database (NVD) average of 3.9% for the same period. This uptick was primarily due to increased weaponization in Ruby on Rails, WordPress and Java.

Input validation replaces XSS as top weakness

While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last 5 years. This is a sign that frameworks are making progress in this important area.

Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past 5 years mostly affecting Apache Struts, WordPress, and Drupal.

Injection weaknesses are highly weaponized

Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were command injection (60% weaponized), OS command injection (50% weaponized), and code injection (39% weaponized). This often makes them some of the most sought after weaknesses by attackers.

Shedding light on hidden threats

An organization’s web-facing applications represent fundamental digital assets that are essential to serving internal and external users. Their exposure to the outside world also means they are susceptible to constant attack.

Most credential abuse attacks against the financial sector targeted APIs

From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls. According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

credential abuse attacks

According to the report’s findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed. Nearly 20 percent, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. Of these, 473,518,955 attacked organizations in the financial services industry.

A mix of API targeting, and other methodologies

But not all attacks were exclusively API focused. On August 7, 2019, the single largest credential stuffing attack against a financial services firm was recorded, consisting of 55,141,782 malicious login attempts.

This attack was a mix of API targeting, and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, Akamai security researcher and principal author of the State of the Internet / Security report.

“Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”

Criminals exposing data through different methods

Indicative of this fluid attack dynamic, the report shows that criminals continue to seek to expose data through a number of methods, in order to gain a stronger foothold on the server and ultimately achieve success in their attempts.

SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was Local File Inclusion (LFI), with 47% of observed traffic.

LFI attacks exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS) and DoS attacks.

XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

Criminals still leveraging DDoS attacks

The report also shows that criminals continue to leverage DDoS attacks as a core component of their attack arsenal, particularly as it relates to targeting financial services organizations.

Observations from November 2017 until October 2019, show the financial services industry ranking third in attack volume, with gaming and high tech being the most common targets. However, more than forty percent of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.

Security teams need to constantly consider policies, procedures, workflows, and business needs – all while fighting off attackers that are often well organized and well-funded,” Ragan concluded. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”

Cyber risk increases at all layers of the corporate network

Organizations will face a growing risk from their cloud and the supply chain, according to Trend Micro. Cyber risk increases at all levels The growing popularity of cloud and DevOps environments will continue to drive business agility while exposing organizations, from enterprises to manufacturers, to third-party risk. “As we enter a new decade, organizations of all industries and sizes will increasingly rely on third party software, open-source, and modern working practices to drive the digital … More

The post Cyber risk increases at all layers of the corporate network appeared first on Help Net Security.