Full Report
aka.. Someone put the hurtski on Kaspersky.. The Twitters (via XSSniper and others) and the Interwebs were ablaze with news on a SQL Injection vulnerability that was exploited on AV vendor Kaspersky’s site. Detail of the attack can be found here. It’s interesting that SQL Injection (though as old as the proverbial hills) is still such a major issue. In fact, I have it on good authority that the bulk of PCI-related compromises are still as a result of SQL Injection…
Analysis Summary
# Incident Report: Exploitation of Kaspersky Website via SQL Injection
## Executive Summary
This incident involved the successful exploitation of a SQL Injection vulnerability present on Kaspersky's public website. The attack vector was classic SQL Injection, leading to unauthorized access to the underlying database. While the full scope of the compromise is inferred from the reporting, the critical lesson learned emphasizes the enduring threat of poorly validated user input, even against established security vendors.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported publicly around February 7-8, 2009.
- **Incident Date:** On or shortly before February 7, 2009.
- **Affected Organization:** Kaspersky (AV vendor).
- **Sector:** Security Software/Technology.
- **Geography:** Not explicitly stated, but the general web presence of Kaspersky.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before February 7, 2009.
- **Vector:** SQL Injection vulnerability.
- **Details:** An attacker leveraged a known vulnerability in the application code processing user input, allowing the execution of arbitrary SQL commands against the back-end database (identified as MySQL).
### Lateral Movement
- Not detailed in the provided text, but SQL Injection often leads directly to data access/dumping rather than extensive lateral movement if the initial target is the primary database server.
### Data Exfiltration/Impact
- **Data Exfiltration/Impact:** The attack resulted in the full database being accessed/compromised ("full database access"). Specific data types are not detailed in this summary source.
### Detection & Response
- **Detection:** The breach was publicized widely on "The Twitters" and the "Interwebs." (Implies public disclosure preceded organizational confirmation).
- **Response Actions:** Not detailed in the provided text, beyond the immediate publication of the news.
## Attack Methodology
- **Initial Access:** SQL Injection.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed (The SQLi likely provided sufficient privileges to query the database).
- **Defense Evasion:** Not detailed.
- **Credential Access:** Assumed to be possible if credentials were stored in the exploited database.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Database contents were gathered based on the successful injection.
- **Exfiltration:** Data was successfully extracted from the database via the SQL injection mechanism.
- **Impact:** Complete database access achieved.
## Impact Assessment
- **Financial:** Not available.
- **Data Breach:** Full access to the site's MySQL database achieved. Data types are unspecified in this summary context.
- **Operational:** Potential disruption due to the necessary remediation of the web application.
- **Reputational:** Negative publicity resulting from a major AV vendor being compromised via a classic vulnerability.
## Indicators of Compromise
- (No specific network artifacts, IPs, or file hashes were provided in the source text to defang.)
## Response Actions
- **Containment measures:** Not detailed, but likely involved isolating or patching the vulnerable endpoint immediately following confirmation.
- **Eradication steps:** Not detailed (Presumably involved fixing the SQL vulnerability).
- **Recovery actions:** Not detailed.
## Lessons Learned
- SQL Injection, a decades-old vulnerability, remains a critically high risk, even for major security organizations.
- The specific database type (MySQL) does not inherently protect against injection flaws; validation is paramount.
- Failure to *effectively* validate user input leads directly to exploitation.
## Recommendations
- Implement standardized, context-aware input sanitization or utilize parameterized queries (prepared statements) for all database interactions across all web applications.
- Conduct comprehensive penetration testing focused specifically on input validation flaws across all public-facing assets immediately.