Post by Yakov Goldberg, TrapX Labs Manager
The MySQL open-source database is one of the most successful products of its kind in the world. Its popularity has drawn the attention of cyber attackers and other malicious parties seeking to compromise and steal data from within MySQL databases. Over the past few years, attackers have become more experienced and sophisticated in exploiting MySQL database, resulting in theft, loss of proprietary data, negative impact on business operations, and more.
In early September 2016, TrapX Labs began analyzing multiple malicious attacks on MySQL infrastructure captured by DeceptionGrid™. DeceptionGrid Traps succeeded in detecting and capturing multiple attackers attempting to use a wide variety of MySQL injection techniques. DeceptionGrid also captured the additional binary files within the Traps after the injection was executed. These activities were recorded by the Traps and reported to the TrapX Security Operation Center (TSOC). The data provided detailed information about each attacker activity and a visual timeline of each MySQL injection.
The story told by the data is remarkable. Analysis of the payloads associated with each attack suggests that the attackers attempted to inject at least three different payloads into the Traps, using a different script and method of injection each time. The attacks occurred multiple times, from a different source IP address each time. TrapX Labs’ analyses of the MySQL injections suggests that the goal of each injection was to download additional malware components from a compromised website to serve as the backdoor (or botnet) for a second-stage attack. TrapX Labs captured and analyzed all of the scripts and binary files involved in the second stage attacks. For even greater forensic detail, TrapX Labs infected a Windows OS with each backdoor, and the TrapX Advanced Incident Response (AIR) server collected artifacts from the infected system for further analysis.
This report presents the analysis performed by TrapX AIR, including important technical information about each MySQL injection attack. The report also includes a detailed walkthrough of each MySQL injection as seen through the TrapX TSOC incident-timeline window. Appendix A lists all of the network-based and static-based indications of compromise (IOCs) gathered during the analysis. These indicators play an important role in helping identify malware communication channels elsewhere on the network and detecting other systems that were potentially affected by these MySQL injections. Finally, appendix B provides additional information about the attacker platform.
The report provides a current view of new technologies that can mitigate MySQL attacks and new best practices that support them. To that end, the report will help educate the reader on how to best leverage deception technology such as DeceptionGrid™ and AIR to detect, analyze, and mitigate threats of this nature. The report shares critical information about the efficacy of TrapX DeceptionGrid™ and the AIR module functionality, based on real-world scenarios. The report further provides detailed technical analyses of each event. We will review all static and dynamic IOCs, to enable readers to search for similar attack vectors elsewhere within their environments.
Deception technology is proven effective in detecting MySQL attacks; it captures detailed forensic data, mitigates attacks, and allows the resumption of normal operations. DeceptionGrid, initially deployed in early 2014, uses deception technology to identify malicious insiders and sophisticated attackers that have penetrated internal networks. Deception technology uses automation to deploy Traps (decoys) and Tokens (lures), mixing them among existing IT resources to provide a blanket of protection against attackers who succeed in penetrating networks in search of MySQL resources. This full-deception, in-depth architecture can successfully lure, trap, and engage any MySQL attacker.
Click here to read the TrapX Labs Research Report: MySQL Attack Mitigation Using Deception Technology