SQL Injection Blamed for 7-11, Hannaford and Heartland Breaches

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez.

It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network.

The indictment doesn’t give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas:

  • xp_cmdshell was enabled and allowed the attackers to execute the commands of their choice on the server
  • web content was served from the database and it was changed to allow executable file uploads to the web server and then execution on the web server
  • there was sensitive data stored in tables in the database that allowed the attackers access to machines they could execute code on.

I would be interested in other ways people know of to leverage a SQL injection vulnerability to execute code.

Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromize an entire organization. That is why public facing web applications are critical to secure. They are on the front line perimeter of your organization and demand the same care you would put into locking down your firewall, mail server, or VPN. Thinking that attackers who find a web vulnerability will only be able to manipulate web transactions deprioritizes the risk inappropriately. Sometimes a web vulnerability gives them the whole enchilada.

MikeA | August 17, 2009 10:32 pm

How about SQL injection to leave XSS in the database that an internal user would access. The XSS then goes out and pulls code/applets or other browser exploits. Because it’s an internal site, users may not be as wary about warning signs and have lower security settings.

Once the attacker has a single foothold on an internal machine, more-so if it’s some form of privilaged user, it’s just a matter of exploration and time.

That’s perhaps another way of leveraging an SQL vuln, although I would bet it’s probably one of the easier methods.

SQL Injection continues to trouble firms, lead to breaches | Cyber World Network | August 19, 2009 5:19 am

[...] Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry. [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post