Telstra, Australia’s largest telephone operating company, revealed yesterday that its internal corporate network Pacnet had been compromised via an SQL Injection attack.
So far it is not yet known what exactly was taken from the network, but it is clear that the perpetrators had complete access to the corporate network, including email and admin systems. One of the customers affected by the hack, was the Australian Federal Police.
SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today, whereby a hacker takes advantage of improper coding of in the web applications and injects SQL commands into e.g. login forms allowing him to gain access to the data held within the database.
Even though no technical details of the attack have been revealed, what is interesting and alarming, is the escalation of the attack, from a seemingly run of the mill SQLi attack to the compromise of an entire network.
Regular scanning is essential to ensure that there are no SQLi vulnerabilities present in web applications and to ensure the DBMS server is securely set up, in order to prevent this sort of escalation. It is possible attackers may have been able to read files, write files, run commands etc, on the database server and then escalate their attack from there. Lead Developer at sqlmap, Bernardo Damele Assumpção Guimarães, discusses the methods on how this can be done, at length in his paper on Advanced SQL injection to operating system full control.
Telstra officials claim the breach had occurred before Telstra took ownership of Pacnet in December 2014. Telstra is advising customers of the breach, however there is no evidence of malicious activity on Telstra’s networks since the Pacnet network was not connected to Telstra. The company has not released any information on the amount of customers affected. So far, there is no information on the motive, and no contact from the perpetrator has been received.
Lessons learned from the Pacnet hack
SQL Injection is not only used to steal and alter data from databases, but under the right conditions, it can be used to escalate attacks big-time, turning a simple SQLi vulnerability (which with today’s frameworks is usually a relatively easy fix) into a gateway to a corporate network.
A recent legal publication issued by the Australian Signals Directorate (ASD) entitled, Strategies to Mitigate Targeted Cyber Intrusions makes reference to a number of controls to circumvent such a security breach.