Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Database Cloud Services a Malware Risk to Enterprises: Imperva

Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.

Security researchers at Imperva are warning that cyber-criminals are taking advantage of hosted database services to set up command-and-control and drop servers for data exfiltration.

In a research paper published this week (PDF), Imperva said cloud servers — called Database as a Service (DBaaS) — are offering a rich environment for malicious hackers to anonymously set up command-and-control servers and store stolen corporate data.

“When an organization’s internal data is stored in the cloud, an attacker no longer needs to gain access to the organization’s network, before compromising its database. This is compounded when a hacker opens his own account with the same cloud service. By doing that, the attacker can gain privileges or use a vulnerability to compromise all of the hosted data,” according to the report.

Database Cloud ServiceImperva said it found evidence of this new trend in a botnet that uses a banker Trojan to hijack sensitive financial data from users in South America.  The Trojan uses a popular MSSQL hosting service for its C&C functionality as well as its storage (“drop”) server.

After analyzing the botnet, Imperva researchers discovered five different C&C databases and two storage databases hosted with the same service provider. 

Although the researchers did not find evidence of a database hack, Imperva believes it’s only a matter of time before criminal hackers start using “off-the-shelf malware” for generic database access inside the enterprise. “Once their motivation and business model becomes clear, whatever they lack in terms of technology they are certain to achieve. At that point, internal data stores of many more organizations are going to be part of the attack surface,” the company warned.

“These include organizations of all sizes and verticals – not only large defense contractors. Based on our observations and analysis, we expect the first generation of such tools to use standard SQL access to servers relying on default or stolen credentials for initial access. We expect this first generation of tools to target standard database structures of well-known applications (e.g. SAP, PeopleSoft),” it added.

In the past, attacks against databases require admin rights or privilege escalation. However, with this discovery, Imperva is calling attentionn to the fact that malware with database capabilities can wreak havoc and pilfer corporate data. 

The company believes that “infection is inevitable” and compromise of a portion of workstations within a network should be considered “an inherent condition.” 

Advertisement. Scroll to continue reading.

Imperva called on organizations to improve controls around data stores as a mitigation strategy, focusing on technologies like database audit and DAM (database activity monitoring).

In the report, the company said organizations that host their data in a cloud service are exposing it to higher risks than originally perceived. 

“Due to the exposure of the database to technically savvy attackers and to the ease of obtaining a legitimate foothold on such a server, risk factors are increased. This can quickly be turned into a privilege escalation attack. This change in how we perceive the risk should be taken into consideration by organizations when they decide which data they want to store externally It should also serve as a wake-up call for service providers to look for deploying virtual patching solutions,” according to the report. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.