Massive SQL Injection Attack Hits A Million Pages
LizaMoon attacks may have waned but code injection is still rife with a million pages infected in a new wave
A massive blitz of SQL injection attacks has been unleashed against Websites based on Microsoft ASP.Net. It is reported that up to a million Web pages have been infected so far.
The attack, discovered by online security firm Armorize, seems to be related to the LizaMoon attacks last April. The certificates used are registered under the same name as those used in the previous attack. There was also an apparently unrelated attack that infected six million sites in early August.
JavaScript-based attacks
The exploit springs from malicious JavaScript planted on ASP.Net sites that causes a visitor’s browser to load an iframe. These in-line frames allow separate HTML files from one of two remote sites to be loaded into an existing Webpage. According to Armorize, these are www3.strongdefenseiz.in and www2.safetosecurity.rr.nu. The code in the iframe uses various drive-by exploits to try to place malware on the visitor’s PC.
The exploits, which act just by being displayed, are all previously known so the exploit will only be successful if the browser is an older version which has not been patched. It will also use weaknesses in older versions of Adobe Flash and Reader or in Java.
The primary sites targeted seem to be mainly restaurants, hospitals, and other small businesses. Initially, Armorize said that 180,000 sites had been hit but CEO Wayne Huang told the Dark Reading Website that it has detected around a million infections since the original report was issued.
It appears that not all virus detection systems will recognise the malware, but most of the biggest name products do. However, the success of the attacks once again underline the importance of regular patching to protect against these avoidable infections.
The aim of attacks of this nature is not just to cause inconvenience but to cast a wide net and identify infected sites that may have valuable data, using a search engine. These can then be given closer attention by the hackers who will use the vulnerabilities for further exploits.
