After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential of disclosing sensitive information.
In a new post published on the HackersBlog, one of the website's admins, Tocsixu, discloses a SQL injection attack against the statistics section of the website belonging to Finnish security company F-Secure. In addition to being vulnerable to SQL injection, the http://stats.f-secure.com website also allowed for code injection through cross-site scripting (XSS).
Successful poisoning of SQL SELECT statements through URL manipulation exposed the tables of what it looked like a Microsoft SQL Server 2000 database running on a Windows Server 2003 with Service Pack 2.
The compromised tables were: MailboxInfo, VirusUpdated, dtproperties, Country, sysconstraints, VirusTrends, Virus_Top50_24h, Virus_Top50_30days, Virus_Top50_7days, Virus_Top50_90days, Virus_Top50_Month, Virus_Top50_Week, VirusDateTotal, VirusDate, VirusMonthTotal, VirusReports, VirusReportsTemp, VirusTrends.
F-Secure confirmed the security breach, but pointed out that the compromised database contained information about malware statistics that had been made publicly available anyway. "The malware statistics is something we publish anyway at F-Secure Worldmap and, because of our IT security strategy, the impact was minimal," Patrik Runald, senior security specialist at F-Secure, writes on the company's weblog. This is also mentioned by Tocsixu, who points out that "Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity."
The F-Secure analyst explains that the attack was possible because a page on their statistics website didn't properly sanitize the input. He also maintains that no information altering SQL commands was executed against the database, and that other details on the server could not be reached by the hackers, because the SQL username used by that section of the F-Secure website only had access to the statistics database. "While the attack is something we have to learn from and look at things we need to improve, it's not the end of the world," Patrik Runald concludes.
This is the third strike in less than a week when the HackersBlog team launched a successful SQL infection attack against the website of a security vendor. The first was the U.S. support website of Kaspersky Labs, developer of Kaspersky Antivirus. This was followed by a similar breach on the website of a Bitdefender Antivirus partner in Portugal, http://www.bitdefender.pt.
Even though slow to respond at first, Kaspersky eventually assumed responsibility for the security incident and revealed extensive details about the attack. In addition, the company hired a renowned database security expert to perform a security audit on its websites. Bitdefender, however, only kept it short by saying that the website belonged to a reseller and was not controlled by it. Even so, the site was using the Bitdefender name, logo, a very similar website layout and was selling Bitdefender products. It's unlikely that the Bitdefender users who have had their personal information put at risk care too much about who's website that is.