Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Database Cloud Services a Malware Risk to Enterprises: Imperva

Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.

Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.

In a research paper published this week (PDF), Imperva said cloud servers — called Database as a Service (DBaaS) — are offering a rich environment for malicious hackers to anonymously set up command-and-control servers and store stolen corporate data.

“When an organization’s internal data is stored in the cloud, an attacker no longer needs to gain access to the organization’s network, before compromising its database. This is compounded when a hacker opens his own account with the same cloud service. By doing that, the attacker can gain privileges or use a vulnerability to compromise all of the hosted data,” according to the report.

Database Cloud ServiceImperva said it found evidence of this new trend in a botnet that uses a banker Trojan to hijack sensitive financial data from users in South America.  The Trojan uses a popular MSSQL hosting service for its C&C functionality as well as its storage (“drop”) server.

After analyzing the botnet, Imperva researchers discovered five different C&C databases and two storage databases hosted with the same service provider. 

Although the researchers did not find evidence of a database hack, Imperva believes it’s only a matter of time before criminal hackers start using “off-the-shelf malware” for generic database access inside the enterprise. “Once their motivation and business model becomes clear, whatever they lack in terms of technology they are certain to achieve. At that point, internal data stores of many more organizations are going to be part of the attack surface,” the company warned.

“These include organizations of all sizes and verticals – not only large defense contractors. Based on our observations and analysis, we expect the first generation of such tools to use standard SQL access to servers relying on default or stolen credentials for initial access. We expect this first generation of tools to target standard database structures of well-known applications (e.g. SAP, PeopleSoft),” it added.

In the past, attacks against databases require admin rights or privilege escalation. However, with this discovery, Imperva is calling attentionn to the fact that malware with database capabilities can wreak havoc and pilfer corporate data. 

The company believes that “infection is inevitable” and compromise of a portion of workstations within a network should be considered “an inherent condition.” 

Imperva called on organizations to improve controls around data stores as a mitigation strategy, focusing on technologies like database audit and DAM (database activity monitoring).

In the report, the company said organizations that host their data in a cloud service are exposing it to higher risks than originally perceived. 

“Due to the exposure of the database to technically savvy attackers and to the ease of obtaining a legitimate foothold on such a server, risk factors are increased. This can quickly be turned into a privilege escalation attack. This change in how we perceive the risk should be taken into consideration by organizations when they decide which data they want to store externally It should also serve as a wake-up call for service providers to look for deploying virtual patching solutions,” according to the report. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...