A hacker has compromised at least 60 universities and US government organizations, utilzing SQL injections as his weapon of choice.
Rasputin, believed to be a Russian hacker, is most well-known for the December 2016 attack against the US Electoral Assistance Commission through an unpatched SQL injection (SQLi) vulnerability.
At the time, the hacker offered to sell access to the system to a Middle Eastern broker, and according to researchers, the hacker is also attempting to sell access to systems he has compromised in his latest round of attacks.
Rasputin’s latest victims, revealed by cybersecurity firm Recorded Future, span across both the United Kingdom and the United States.
Universities are a top target, with Cornell University, the New York University (NYU), Purdue University, Michigan State University, the Rochester Institute of Technology and the University of Washington among those affected in the US.
Over in the UK, Rasputin has also targeted academic institutions including the University of Cambridge, University of Oxford, the University of Edinburgh and the Architectural Association School of Architecture.
Rasputin has also struck the US Postal Regulatory Commission, the US Department of Housing and Urban Development, Health Resources and Services Administration and National Oceanic and Atmospheric Administration.
In addition, a number of institutions in US states have also become the victims of SQLi exploit. These include the Oklahoma State Department of Education, the Rhode Island Department of Education, Madison County, Alabama, the West Virginia Department of Environmental Protection and the Washington State Arts Commission.
Recorded Future says that SQL injection attacks are to blame. While they have been around for over a decade, “poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia” are allowing cyberattackers like Rasputin to take advantage and steal valuable data or flog access credentials — especially as free tools such as Havij, Ashiyane SQL Scanner, SQL Exploiter Pro and SQLSentinel can be used to automate the identification of security vulnerabilities in these systems.
While intended for white-hat purposes, this does not stop cyberattackers exploiting every tool in their arsenal.
Rasputin was able to access the US and UK establishments by taking advantage of systems weak to SQL injection attacks. While it is not known exactly which systems have been compromised, in theory, the hacker — or those he sells access rights to — could steal private information about staff and students, intellectual property and potentially sensitive government data.
Recorded Future notified Rasputin’s targets prior to making the vulnerabilities public.
“Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin’s latest victims,” Recorded Future says. “Even the most prestigious universities and US government agencies are not immune to SQLi vulnerabilities.”
“This well established, but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue,” the security firm added.