Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.
In a research paper published this week (PDF), Imperva said cloud servers — called Database as a Service (DBaaS) — are offering a rich environment for malicious hackers to anonymously set up command-and-control servers and store stolen corporate data.
“When an organization’s internal data is stored in the cloud, an attacker no longer needs to gain access to the organization’s network, before compromising its database. This is compounded when a hacker opens his own account with the same cloud service. By doing that, the attacker can gain privileges or use a vulnerability to compromise all of the hosted data,” according to the report.
Imperva said it found evidence of this new trend in a botnet that uses a banker Trojan to hijack sensitive financial data from users in South America. The Trojan uses a popular MSSQL hosting service for its C&C functionality as well as its storage (“drop”) server.
After analyzing the botnet, Imperva researchers discovered five different C&C databases and two storage databases hosted with the same service provider.
Although the researchers did not find evidence of a database hack, Imperva believes it’s only a matter of time before criminal hackers start using “off-the-shelf malware” for generic database access inside the enterprise. “Once their motivation and business model becomes clear, whatever they lack in terms of technology they are certain to achieve. At that point, internal data stores of many more organizations are going to be part of the attack surface,” the company warned.
“These include organizations of all sizes and verticals – not only large defense contractors. Based on our observations and analysis, we expect the first generation of such tools to use standard SQL access to servers relying on default or stolen credentials for initial access. We expect this first generation of tools to target standard database structures of well-known applications (e.g. SAP, PeopleSoft),” it added.
In the past, attacks against databases require admin rights or privilege escalation. However, with this discovery, Imperva is calling attentionn to the fact that malware with database capabilities can wreak havoc and pilfer corporate data.
The company believes that “infection is inevitable” and compromise of a portion of workstations within a network should be considered “an inherent condition.”
Imperva called on organizations to improve controls around data stores as a mitigation strategy, focusing on technologies like database audit and DAM (database activity monitoring).
In the report, the company said organizations that host their data in a cloud service are exposing it to higher risks than originally perceived.
“Due to the exposure of the database to technically savvy attackers and to the ease of obtaining a legitimate foothold on such a server, risk factors are increased. This can quickly be turned into a privilege escalation attack. This change in how we perceive the risk should be taken into consideration by organizations when they decide which data they want to store externally It should also serve as a wake-up call for service providers to look for deploying virtual patching solutions,” according to the report.
