A Russian-speaking black hat hacker has breached the systems of more than 60 universities and U.S. government agencies, according to threat intelligence firm Recorded Future.
The hacker, tracked by the company as “Rasputin,” typically exploits SQL injection vulnerabilities to gain access to sensitive information that he can sell on cybercrime marketplaces.
Rasputin is the hacker who last year breached the systems of the U.S. Election Assistance Commission (EAC) and attempted to sell more than 100 access credentials, including ones providing administrator privileges. Researchers found evidence that he had been negotiating with a potential buyer representing a Middle Eastern government.
Recorded Future has been monitoring the hacker’s activities and identified many of his victims, including over two dozen universities in the United States, ten universities in the United Kingdom, and many U.S. government agencies.
The list of targeted government agencies includes local, state and federal organizations. The targeted federal agencies are the Postal Regulatory Commission, the Department of Housing and Urban Development, the Health Resources and Services Administration, and the National Oceanic and Atmospheric Administration.
There are plenty of free tools that can be used to find and exploit SQL injection vulnerabilities, including Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap and SQLSentinel. However, Rasputin has been using a SQL injection tool that he developed himself.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases,” said Levi Gundert, VP of intelligence and strategy at Recorded Future.
Experts believe Rasputin picks his targets based on their perceived investment in security controls and the potential value of the stolen data. The personal information stored in the targeted organizations’ databases can be highly valuable, particularly if the data is associated with users in North America and Western Europe.
Recorded Future pointed out that while SQL injection vulnerabilities have been around for a long time and can be easily prevented through basic secure coding practices, addressing these types of flaws can often be costly.
“The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization,” said Gundert.