Monday, July 15, 2024

CISA & FBI Warns that Hackers Use SQL Injection Vulnerabilities to hack Servers

Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned technology manufacturers and their customers about the persistent threat posed by SQL injection vulnerabilities.

Despite being a well-documented issue for over two decades, SQL injection—or SQLi—vulnerabilities continue to be a prevalent defect in commercial software products, leaving thousands of organizations at risk.

Persistent Threat of SQL Injection

SQL injection vulnerabilities allow malicious cyber actors to compromise a database’s confidentiality, integrity, and availability by executing arbitrary queries.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This class of vulnerability stems from the software developers’ failure to adhere to security best practices, particularly the separation of database queries from user-supplied data.

The recent campaign exploiting SQLi defects in a managed file transfer application, impacting thousands, has prompted CISA and the FBI to urge a formal review of code by technology manufacturers to eliminate this threat.

Secure by Design: A Proactive Approach

The “Secure by Design” concept emphasizes the importance of incorporating security measures from the outset of product development.

This approach reduces the cybersecurity burden on customers and minimizes public risk.

Despite being labeled as “unforgivable” since 2007, SQL vulnerabilities continue to rank high on the list of most dangerous and stubborn software weaknesses in 2023, according to MITRE’s CWE Top 25.

DeepBlue Security & Intelligence recently tweeted that the Cybersecurity and Infrastructure Security Agency (CISA) has recommended developers eliminate SQL injection vulnerabilities in their software.

Preventing SQL Injections

To combat SQLi vulnerabilities, software developers are encouraged to use parameterized queries with prepared statements, which effectively separates SQL code from user-supplied data.

This method ensures that user input is treated as data rather than executable code, mitigating the risk of SQL injection attacks.

However, CISA and the FBI caution against solely relying on input sanitization techniques, which can be bypassed and are difficult to enforce at scale.

Principles for Secure by Design Software

CISA and the FBI have outlined three key principles for achieving Secure by Design software:

  1. Take Ownership of Customer Security Outcomes:
    • Manufacturers must prioritize security by adopting prepared statements with parameterized queries and conducting formal code reviews to identify vulnerabilities.
  2. Embrace Radical Transparency and Accountability:
    • Transparency in disclosing product vulnerabilities and tracking software defects is crucial.
    • Manufacturers should participate in the CVE program, which aims to eliminate entire classes of vulnerabilities.
  3. Build Organizational Structure and Leadership to Achieve These Goals:
    • Security should be a core business goal, with investments and incentives aligned to promote secure coding practices and proactive vulnerability detection.

The alert serves as a call to action for software manufacturers to adopt a comprehensive set of Secure by Design practices beyond just mitigating SQL injections.

Manufacturers are urged to publish their Secure by Design roadmap, demonstrating a strategic commitment to customer safety.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles