When we last looked at zero-day exploits we focused on memory control flaws and flaws found in ICS/SCADA systems. In part three we will look at two more commonly exploited types of zero-day exploits, namely SQL injection and command injection. The latter has also been referred to as operating system (OS) command injection and shell injection, both terms can be used interchangeably.
In giving a broad overview of what a SQL injection attack is, it involves a threat actor abusing queries made to a structured query language (SQL) database. Databases are an integral part of our modern world and serve as mundane a purpose of storing your email address for email notifications from your favorite company to storing login credentials to important financial services.
The threat actor hopes to find a flaw within the code controlling how information is sent to and retrieved from the database. Further, the attacker can inject malicious code into the database which can affect the following database functions: modify database information, access sensitive data, execute admin tasks on the database, and recover files from the system. In some cases, it has even been seen that malicious code injected into a database can then issue commands to the OS to execute. SQL injection attacks have also been used to spread laterally across an infrastructure by gaining privileged access and accessing other systems on the network.
Successful exploitation of a SQL injection flaw can have some major repercussions for the victim as the threat actor has access to any and all information stored on the database. In the past we have seen the following types of information compromised during an attack:
- Credentials: attackers can obtain credentials via SQLi and then impersonate users and use their privileges.
- Databases: attackers can gain access to sensitive data in database servers.
- Data: attackers can alter or add new data to the accessed database. Alternatively, the attacker can simply delete the data or the entire database if they so wish.
SQL Injection has been a favored tactic of several advanced persistent threat groups over the years. As we saw in part one the threat actor first leverages a flaw discovered in the software, in this case, the software governing the SQL database and its management. In 2014, Tesla Motors suffered a blind SQL injection attack. In a blind SQL injection, the attacker simply gathers information from the database by querying the database. Security researchers discovered that they could gain administrative privileges and steal user data using a few plugins, standard queries, and cross-site scripting to compromise the database.
In 2018, Cisco was made aware of a flaw in their Cisco Prime License Manager that opened the possibility of a SQL injection attack. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco responded by effectively patching the flaw. Even the gaming industry has been struck by this type of attack. Fortnite, the massively popular online game, experienced an SQL injection attack in 2019 that allowed attackers to take control of players’ accounts. At the time Fortnite had 350 million players worldwide, such an attack could present an existential crisis to the game’s developers.
As for the use by APT groups mentioned above some prominent attacks include:
- The GhostShell attack: hackers from APT group Team GhostShell targeted 53 universities using SQL injection attack methodologies. The resulting fallout resulted in data being stolen and the publishing of 36,000 personal records belonging to students, faculty, and staff.
- Turkish Government Website Breach: APT group RedHack used SQL injection to breach the Turkish government website and erase debt to government agencies.
- The 7-Eleven Breach: hackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million credit card numbers.
I have already provided two different terms for an OS Command Injection flaw, now for the next curveball. OS Command Injection is also referred to as Remote Code Execution (RCE). Modern conversations about this flaw tend to refer to RCE. Any flaw regarded as RCE can be considered serious as they effectively allow the attacker to take over the victim’s system. Two methods of this hijacking of a system can be achieved in several ways but two of the most prominent are deserialization attacks and out-of-bounds write attacks.
Checkpoints definitions for these attacks can be seen as a gold standard in terms of definition. Their definitions are as follows:
- Deserialization Attacks: Applications commonly use serialization to combine several pieces of data into a single string to make it easier to transmit or communicate. Specially formatted user input within the serialized data may be interpreted by the deserialization program as executable code.
- Out-of-Bounds Write: Applications regularly allocate fixed-size chunks of memory for storing data, including user-provided data. If this memory allocation is performed incorrectly, an attacker may be able to design an input that writes outside of the allocated buffer. Since executable code is also stored in memory, user-provided data written in the right place may be executed by the application.
Threat Actor Exploitation
The start of 2022 around InfoSec circles will be remembered for the Log4J vulnerability. The flaw was found in the popular library used to log activity on websites and web apps. The library developed by Apache is estimated to be used by at least 400,000 different web apps and by some of the world’s largest companies. In December 2021, multiple RCE vulnerabilities were discovered in Log4j that allowed attackers to exploit vulnerable applications, as soon as the announcement was made threat actors of all stripes including nation-state groups and ransomware gangs.
Coming Up, Next
In the next part of this series, we will look at how security analysts and software developers work together to prevent flaws from being exploited.