Over the last year, hacktivists driven by ideological differences have targeted government data around the world at a persistent rate. The lines are blurred with most of these attacks as there are multiple motives behind them. However, one common theme to these attacks is the simplicity in which they are carried out. Hacktivists use an attack method known as an SQL injection to extract information from SQL databases that are vulnerable and exposed online.
OWASP lists SQL injection as the number one web vulnerability. SQL is an attack targeting web applications taking advantage of poor application coding where the inputs are not sanitized, therefore exposing application vulnerabilities. SQL injection is the most famous type of injection attack, which can also include LDAP or XML injections. The idea behind an SQL injection is to modify an application SQL query in order to access or modify unauthorized data or run malicious programs. Most web applications rely on databases where the application data is stored and being accessed by SQL queries, and modification of these queries can result in taking control of the application. For example, an attacker would be able to access the application’s backend database with administrator access, run remote commands on the server, drop or create objects in the database, and more.
For instance, the sql query below, aiming at authenticating users, is common in web applications:
myQuery= ”SELECT * FROM userstable WHERE username = ‘userinput1′ and password =’userinput2’;”
Replacing userinput1 by: ‘OR 1=1’); — would result in granting the attacker access to the database without knowing the real username and password as the assertion “1=1” is always true and the rest of the query is being ignored by the comment character.
Replacing the userinput1 by ‘ OR 1=1″); drop table users;– would additionally drop the application users table.
Recent Government hacks:
COMELEC – The database of the Philippine Commission on Election was breached via and SQL injection that resulted in exposing 55 million voters.
Country Liberal Party – An 18-year-old launched and SQL injection attack against the Country Liberal Party in Australia that resulted in 117 member’s personal information being exposed
UN Climate Change Summit – Members of Anonymous allegedly used an SQL injection to target the UN Climate Change Summit website. This attack resulted in the hackers gaining access leaking data containing usernames, passwords, email, titles and more.
European Space Agency – Anonymous targeted the European Space Agency with a reported blind SQL vulnerability that granted them access to the ESA’s database and resulted in leaked information of over 8000 names, emails and passwords.
Hacktivists are the digital activists of our era, and are not going away any time soon. They can now take a stand on social and political issues on a global scale—without digital boundaries. Arguably, the most dangerous aspect of hacktivism is the intent. While many fight for political and social change, others will use these operations for personal and financial gain. Importantly, hacktivist groups are not as “leaderless” as they might have everyone believe. Motivation of a group’s leaders can be difficult to discern. Leaders could be propagandists, or foreign powers attempting to subvert a group into carrying out an attack for them. However, what all operations share is the exploitation of a “gang” mentality to build momentum and scale—tapping into the social fad and feeding some people’s desire to feel important. Given the amount of media attention data leaks attract, they serve as motivation for attackers to leak more data. Protests are now taken to the digital world via attacks that include denial of service and SQL injections.
Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.