X-Industry

TECHNICAL INTELLIGENCE REPORT

Actor Type: II
Serial: TIR-18-043-001
Countries: All, KP, KR
Industries: Financial, Sports
Report Date: 20180212 

SQLi Dumper Targets 2018 PyeongChang Olympics Domain

Summary

In February 2018, Wapack Labs identified configurations for a Structured Query Language (SQL) injection tool showing attempted exploitation against the site for the 2018 Winter Olympic Games in PyeongChang, South Korea. A Wapack Labs Analyst identified the tool as SQLi Dumper. The developer, “c4rl0s” (for Carlos), states the SQL injection tool supports blind SQL injection, schema dumping, file dumping, MySQL brute forcing, site scanning, and can also hash online cracks. The attempted injection was performed on the legitimate 2018 Olympic Games domain, pyeongchang2018.com. 

Background 

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server. Since an SQL Injection vulnerability could possibly affect any website, the vulnerability is one of the oldest, most prevalent, and most dangerous of web application vulnerabilities. An attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database; customer data, Personally Identifiable Information (PII), trade secrets, intellectual property, and other sensitive information.[1]

Wapack Labs identified the SQL injection tool, SQLi Dumper, while performing a retro hunt search for Olympic domains on VirusTotal. The domain, pyeongchang2018.com (see Figure 1) was discovered in the “URL_Trash.txt” file belonging to the injection tool; meaning injection attempts were made on the domains, but were unsuccessful.

Figure 1. Olympic Domains - SQL Injection Performed Against

Analysis

The developer, Carlos Ferreira[2] (aka: c4rl0s), maintains the following usernames and accounts:

• c4rl0s@jabber.ru
• c4rl0s@jabber.org
• pt@gmail.com
• DF
• carlosferreiracarlos@hotmail.com
• fLaSh
• fLaSh_CF
• fLaSh_PT
• fLaSh1337
• in
• mysqldumper@gmail.com

 It is interesting to note the c4rl0s.pt@gmail.com, may indicate a connection to the name Carlos (a common Hispanic and Portuguese name) and the utilization of C2 infrastructure involving Portugal. The usage of a Russian jabber C2 is a red herring as the jabber.ru domain is utilized by a huge percentage of individuals communicating via jabber protocols. Additionally, the threat actor's usage of the Portuguese Sapo search engine probably indicates a link to Portugal and familiarity with the Portuguese language.

Figure 2. c4rl0s Forum Post With Multiple Identities[3]

C4rl0s used to be a member of Darkode (hacker forum) and was very well known for SQL injections.

Figure 3. c4rl0s: Twitter Account[4] And Developer Page Signature Block

In the past, C4rl0s was selling the binary (exe) SQLi Dumper for $150 USD; source code sold for $2,000 USD (with free updates). C4rl0s accepted payments via Bitcoin (BTC) of Perfect Money – offering free technical support. C4rl0s possesses a GitHub account, but at this time all repositories have been taken down; the names remain, but the links are broken.

Figure 4. c4rl0s Post – Prices and Payment Methods[5]

Technical Details

SQLi Dumper is a robust tool that can load all forms of data; databases, tables, columns, and rows. In addition to the attributes listed above, the injection tool also contains an online site scanner with multiple search engines (Google/Yahoo/Bing/Sapo/Altavista/Terravista) that can scan for vulnerabilities in real-time and produce results abnormally fast – using search engine artifacts to not trip virus/malware scanning sensors. SQLi Dumper can perform brute force injections. Dumper has a full schema dump for MySQL v.5.x.x, can display data dumped with grids, has ability to export as .txt or .xml, supports custom queries, allows MySQL brute forcing for SQLi v.4.x.x, supports HTTP proxies, and contains a GeoIP database – plus more.

The RAR file (MD5: b5592004eb8913b5844aa0316ec45d31) is for a compressed stream containing 17 files. Within, were configuration files that contained targeted websites and vulnerable/exploitable websites (see Figure 5 below):

• xml
• xml
• xml
• txt

Figure 5. Additional Contents of SQLi Dumper File

Analyzing additional archives uploaded to VirusTotal shows:

• Total targeted domains = 639,174
• Total injectable/exploitable domains = 12,053
  • Unique URL XML files = 108

SQLi Dumper contained lists of successfully injected websites displaying the vulnerable database’s schemas that it dumped while looking for keywords (i.e. password) (see Figure 6 below).

Figure 6. SQLi Dumper Schema Targeting EIRCICAI – Eastern India Regional Council of The Institute of Chartered Accountants of India

Conclusion

Carlos Ferriera (aka: c4rl0s) continues to provide updates to his SQLi Dumper tool. One year ago, on androidmafia.ru, c4rl0s (aka: Carlos Carlos) posted an update that version 9.6 was available. While the 2018 Winter Olympic Games were not the intended target, this does provide evidence of SQL injection capabilities that could disrupt the nations, athletes, sponsors, and vendors involved with the Olympic Games.

Additional Reporting

https://redskyalliance.slack.com/files/U73N65QP5/F8U2FDYH5/tr_2018winter_olympics.pdf

https://redskyalliance.slack.com/files/U73LECHRD/F94LKQDE3/tr_2018_winter_olympics_azorult.pdf

Prepared: Chris Hall, Brent Davis
Approved: Jeff Stutzman

[1] https://www.acunetix.com/websitesecurity/sql-injection/

[2]https://webcache.googleusercontent.com/search?q=cache:b9K6L2lPD9AJ:https://wiki.portugal-a-programar.pt/dev_net:vb.net:multi-threading+&cd=13&hl=en&ct=clnk&gl=us

[3]https://webcache.googleusercontent.com/search?q=cache:rwS8Ng2q_LsJ:https://forum.zwame.pt/threads/vb9-painel-ext-com-xp-border-style-e-gradient-color-repositorio-codigo.351566/+&cd=1&hl=en&ct=clnk&gl=us

[4] https://twitter.com/flash_1337

[5] http://evidencebasedsecurity.org/forums/data/darkode/raw/0-initiator11142.txt.tok