Earlier this year, Russian cybercriminals started hawking around a new $500 (£385) tool called “Katyusha Scanner” that automates searching for and exploiting SQL injection (SQLi) vulnerabilities on websites.
Sad to report, it’s proved popular in the underground, say the researchers who discovered it for sale, requiring paying customers to do little more than configure a server running the open-source Arachni web application scanner, normally a tool for pen-testing good guys.
So far, none of this is terribly newsworthy. Using vulnerability application scanners in this way has been around for years, while SQL injection has been at the top of the OWASP Top 10 worry list since its earliest days.
But Katyusha (the name comes from a second world war rocket launcher beloved of Russian nationalists) does have several telling innovations that make it worth paying attention to, the first of which is that the entire process is controlled and monitored using the Telegram encrypted messaging platform.
Customers can upload targets sites for it to scan and be told about any vulnerabilities found in a neatly packaged, easily understood report. Katyusha also helps with the exfiltration of compromised data, helpfully supports lots of database types and can even be wielded to brute-force login credentials. It does a bit of everything.
It’s akin to PlayStation hacking – except this isn’t a game and non-technical cybercriminals can do all of this from a smartphone app as well as a browser. This is quite an advanced way to re-purpose Telegram even if the KillDisk and TeslaCrypt ransomware pioneered command and control using its API.
Why Telegram? It might be easier to ask why not. Granted, it provides privacy but that’s not usually a problem with command and control. More likely, it’s just a platform with powerful features that cybercriminals already use.
Another theme is throughput. The tool has been purchased only 10 or 15 times but given that customers can start by scanning 500 websites using it, the damage level could rise alarmingly over the next few weeks.
At this point, Naked Security should really issue a stern warning about avoiding SQLi attacks in the first place, which involves being careful with dynamic database queries from the user side.
There is a bundle of advice out there, most of it years old and, in too many cases, completely ignored. As Recorded Future notes:
Common defenses against SQL injection attacks include using parameterized statements as opposed to concatenating strings in code, using object relational mapping frameworks to generate SQL statements, proper escaping of special string characters in input parameters, and sanitizing inputs that appear suspicious.
Plug this sort of yawning gap and the criminals behind Katyusha would have to earn their living some other way.