Unknown attackers compromised the main website of open-source database MySQL and served malware to unsuspecting visitors for a short period of time on 26 September.
“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection,” Huang wrote.
Eight out of 44 major security vendors currently detect the malware, according to malware tracker VirusTotal.
Root access sold
Trend Micro researchers found evidence that attackers were selling root access to some of the cluster servers of mysql.com and its subdomains on underground criminal forums. The seller was offering a shell console window with root access to these servers for $3,000 (£1,900), Maxim Goncharov, a senior threat researcher at Trend Micro wrote on the Malware blog.
Cyber-criminals are “brazen” enough to sell administrative access to specific systems, Goncharov wrote.
MySQL is an open-source database that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008. It later became part of Oracle when that company bought Sun in 2009. Trend Micro’s Goncharov said the team contacted MySQL last week but hadn’t received a response. The site appeared to be serving up malware for about a three-hour window in the middle of the day.
With root access available for sale, it is possible that the malicious perpetrator who originally compromised mysql.com is not the one responsible for the BlackHole attack that served up malware on the site.