Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.
In a research paper published this week(PDF), Imperva said cloud servers — called Database as a Service (DBaaS) — are offering a rich environment for malicious hackers to anonymously set up command-and-control servers and store stolen corporate data.
“When an organization’s internal data is stored in the cloud, an attacker no longer needs to gain access to the organization’s network, before compromising its database. This is compounded when a hacker opens his own account with the same cloud service. By doing that, the attacker can gain privileges or use a vulnerability to compromise all of the hosted data,” according to the report.
Imperva said it found evidence of this new trend in a botnet that uses a banker Trojan to hijack sensitive financial data from users in South America. The Trojan uses a popular MSSQL hosting service for its CC functionality as well as its storage (“drop”) server.
After analyzing the botnet, Imperva researchers discovered five different CC databases and two storage databases hosted with the same service provider.
Although the researchers did not find evidence of a database hack, Imperva believes it’s only a matter of time before criminal hackers start using “off-the-shelf malware” for genericdatabase access inside the enterprise. “Once their motivation and business model becomes clear, whatever they lack in termsof technology they are certain to achieve. At that point, internal data stores of many more organizations are going to be part of the attack surface,” the company warned.
“These include organizations of all sizes and verticals – not only large defense contractors. Based on our observations and analysis, we expect the first generation of such tools to use standard SQL access to servers relying on default or stolen credentials for initial access. We expect this first generation of tools to target standard database structures of well-known applications (e.g. SAP, PeopleSoft),” it added.
In the past, attacks against databases require admin rights or privilege escalation. However, with this discovery, Imperva is calling attentionn to the fact that malware with database capabilities can wreak havoc and pilfer corporate data.
The company believes that “infection is inevitable” andcompromise of a portion of workstations within a network should be considered “an inherent condition.”
Imperva called on organizations to improve controls around data stores as a mitigation strategy, focusing on technologies like database audit and DAM (database activity monitoring).
In the report, the company said organizations that host their data in a cloud service are exposing it to higher risks than originally perceived.
“Due to the exposure of the database to technically savvy attackers and to the ease of obtaining a legitimatefoothold on such a server, risk factors are increased. This can quickly be turned into a privilege escalation attack. This change in how we perceive the risk should be taken into consideration by organizations when they decide which data they want to store externally It should also serve as a wake-up call for service providers to look for deploying virtual patching solutions,” according to the report.
Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine”. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.Previous Columns by Ryan Naraine:Database Cloud Services a Malware Risk to Enterprises: ImpervaBug Bounty Flaws Remain Unpatched for 151 Days: StudyGoogle Blocks Fraudulent Certificates Used by French GovernmentTechnology Controls Against APTs Not Working: StudyPodcast: Qualys CTO Wolfgang Kandek on Vulnerabilities in the Browser
Tags: Network Security