Cybersecurity Threat Advisory: SQL Injection Attack

This week, a new critical alert demands the immediate attention and action of the public-sector community.

Advisory Summary

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, a new critical alert demands the immediate attention and action of the mission-critical community, underlining the crucial role that public-safety leaders play in maintaining the security of their operations.

Advisory Overview

The Pennsylvania Cybersecurity Threat and Intelligence Communications Unit (PA CyberCom) reported that it received an alert from a “highly reliable” federal source that a municipality in the eastern part of the state recently suffered a Structured Query Language (SQL) injection attack. SQL is a standard programming language used to communicate with, manage, and manipulate relational databases.

What Happened?

According to PA CyberCom, the municipality confirmed that cyberattackers compromised a MariaDB instance. MariaDB is an open-source relational database management system that is used as a replacement for the MySQL relational database management system. The municipality confirmed that its MariaDB did not contain personal or critical business information.

PA CyberCom believes that the cyberattackers likely gained initial access to MariaDB by exploiting PHP vulnerabilities in the municipality’s Hyper-V instance used to host its old website. PHP (Hypertext Preprocessor) is an open-source scripting language used to develop websites. A Hyper-V instance is a virtual machine that uses Microsoft’s hypervisor software.

FaD TeaM reportedly has taken credit for the attack. It is a group associated with Iraq’s Resistance Hub; the group conducts distributed denial-of-service attacks, website defacements, and other malicious actions. PA CyberCom reported that its investigation revealed the following actions were taken:

• The cyberattackers first scanned for the existence of wlmanifest.xml, which is a legacy file tied to older Microsoft web application integrations.
• They then requested robots.txt, a text file that displays a site’s hidden, private, or administrative areas.
• Next they scanned for xmlrpc.php, which is a file that enables the XML-RPC protocol to work in WordPress systems.
• Finally, they probed index.php to confirm whether the site is running PHP and how it handles direct requests to its main entry point.

What is the Risk?

SQL injection attacks enable cyberattackers to view, modify, delete, or steal sensitive data. They also can enable cyberattackers to bypass authentication and then gain full administrative control over the server and potentially the entire system.

What Are the Recommendations?

PA CyberCom’s investigation is ongoing, but the following are the agency’s initial recommendations:

• Conduct an asset inventory and remove any public-facing machines or software that are not in use or have not been updated.
• Prioritize monitoring and patching high-impact environments and public-facing applications, including all web application software components, e.g., libraries, plug-ins, frameworks, web server software, and database server software.
• Implement rate limiting and traffic filtering on public-facing applications.
• Install a web application firewall to control incoming traffic.
• Back up critical data regularly.
• Maintain a heightened cybersecurity threat posture.

How MCP Can Help

MCP offers comprehensive cybersecurity solutions suite designed specifically for public-safety and justice entities and other critical-infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact JasonFranks@MissionCriticalPartners.com today to learn more.