Unknown attackers compromised the main website of open-source database MySQL and served malware to unsuspecting visitors for a short period of time on 26 September.
Attackers injected JavaScript code on MySQL.com, owned by Oracle, to divert visitors to malicious websites hosting the BlackHole exploit kit, which automatically downloaded malware to the victimised computers, according to Wayne Huange, founder, president and chief executive of Armorize Technologies. The company said the attack has been disabled and the site is no longer serving up malware.
The main page of MySQL.com was compromised to force visitors to load a JavaScript file, Huang wrote on the Armorize blog. The file created an IFRAME that redirected the victim unknowingly to a page hosted at falosfax.in, hosted in Florida and again to a .cx.cc domain hosted in Sweden.
“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection,” Huang wrote.
BlackHole is a widely used kit that contains pre-loaded exploits for vulnerabilities in web browsers and in other web components and plug-ins, such as Flash Player, Adobe Reader and Java. It takes advantage of unpatched software to compromise the machine. The drive-by-download attack is a common technique and often relies on JavaScript to silently redirect users to malicious sites without their knowing.
Eight out of 44 major security vendors currently detect the malware, according to malware tracker VirusTotal.
Trend Micro researchers found evidence that attackers were selling root access to some of the cluster servers of mysql.com and its subdomains on underground criminal forums. The seller was offering a shell console window with root access to these servers for $3,000 (£1,900), Maxim Goncharov, a senior threat researcher at Trend Micro wrote on the Malware blog.
Cyber-criminals are “brazen” enough to sell administrative access to specific systems, Goncharov wrote.
It appears that the site was initially compromised by a JavaScript malware which is often related to stolen FTP passwords, according to researchers at Sucuri Security. The malware likely compromised a computer belonging to a member of the MySQL.com team and stole the password from the FTP client, Sucuri researchers wrote on the blog.
MySQL is an open-source database that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008. It later became part of Oracle when that company bought Sun in 2009. Trend Micro’s Goncharov said the team contacted MySQL last week but hadn’t received a response. The site appeared to be serving up malware for about a three-hour window in the middle of the day.
With root access available for sale, it is possible that the malicious perpetrator who originally compromised mysql.com is not the one responsible for the BlackHole attack that served up malware on the site.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…