A Russian hacker going by the pseudonym “Rasputin” has compromised over 60 global organizations, including US and UK universities and government organizations.
Security researchers believe that the hacking primarily utilized an SQL injection (SQLi) tool as the means of locating vulnerabilities and exploiting the organizations.
SQL injections exploit a vulnerability that enables unauthorized parties to gain direct access to a database through a web application.
Databases that are vulnerable to SQL injection hacking don’t completely sanitize the input of a user before they run an application command.
This SQL vulnerability allows for a hacker to view, download, and modify the contents of the database quite easily.
It is therefore no surprise the use of SQL injections is to blame for some notorious hacking incidents like those that affected LinkedIn and Yahoo.
Cybersecurity firm Recorded Future, which has been keeping tabs on Rasputin, says that he was the mastermind behind the last year’s hacking on the US Electoral Assistance Commission, where he once again exploited an unpatched SQLi vulnerability.
The US Electoral Assistance Commission hacking happened in late November of last year, and during that time, he approached a Middle Eastern broker whom he offered to sell access to the system.
According to Recorded Future, the Rasputin’s latest hacking efforts are also aimed at selling access to the systems he compromised to brokers in the dark web.
Rasputin’s latest round of hacking, revealed by the cybersecurity firm, span across both the US and the UK.
Universities are some of his top targets, with New York University (NYU), Cornell University, Michigan State University, Purdue University, University of Washington, and the Rochester Institute of Technology among those affected in the United States.
Over in the United Kingdom, Rasputin’s hacking targeted academic institutes including the University of Oxford, University of Cambridge, the Architectural Association School of Architecture, and the University of Edinburgh.
Rasputin also made succeeded in hacking the US Department of Housing and Urban Development, the US Postal Regulatory Commission, the National Oceanic and Atmospheric Administration, and the Health Resources and Services Administration.
In addition, several institutions in US states are also victims of Rasputin’s latest hacking spree.
These include the Rhode Island Department of Education, the Oklahoma State Department of Education, the Washington State Arts Commission, and the West Virginia Department of Environmental Protection.
Cybersecurity experts say that SQLi attacks are to blame.
Even though they have been around for more than 10 years, poorly programmed web applications and third-party software being used by enterprises, academia, and government are allowing cyber attackers like Rasputin to exploit and flog access credentials or gain access to valuable data — especially as free tools like Ashiyane SQL Scanner, Havij, SQLSentinel and SQL Exploiter Pro can be used to automate identification of security weaknesses in these systems.
While meant for white-hat purposes, this doesn’t stop cyber attackers utilizing every tool they have for their hacking attempts.
Rasputin’s successful hacking into the UK and US institutions was aided by their systems’ vulnerability to SQLi attacks.
While it is yet to be known which exact systems have been compromised, in theory, the hackers or brokers he sells access rights to could steal potentially sensitive government data, private information about students and staff, and intellectual property data.
Rasputin’s targets had been warned by Recorded Future prior to making their report public.
The cybersecurity firm says that hackers continue to find and exploit vulnerable databases, especially web applications of large organizations, as demonstrated by these latest hacking victims.
It goes to show that even the most highly protected government agencies and prestigious universities are not immune to hacking by SQL injection vulnerabilities.