Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads generated by the S.A.S tool against our Next-Generation Firewall equipped with the ATP machine learning model for detecting SQL injection to confirm the attack detection and blocking of the traffic. Figure 10 shows that the scan found a SQL injection vulnerability in an application using MySQL as a relational database management system (RDBMS). Figure 3 shows an example of the link that points to the actual webpage search engine and the string used for the search that includes the attack SQL injection pattern. A tool generating this sort of traffic could have additional payloads that could potentially bypass web application firewalls (WAFs) or any other traffic filtering device that bases detection on known patterns of vulnerability scanning tools. Figure 5 shows a list of the additional samples we found during research, which contained the same SQL injection attack string pattern. Figure 8 shows a screen capture of an HTTP request targeting a running instance of the DVWA suite that has the SQL injection vulnerability module enabled. Figure 7 shows the configuration file and its current values that the tool uses by default. The tool provides different features, including the execution of an SQL injection scan. The second shows the HTTP response confirming the SQL injection exception thrown by the MariaDB (a fork of MySQL) database server after the vulnerability scan has been finished. Researchers at Palo Alto Networks discovered an automated scanning tool called Swiss Army Suite (S.A.S) during regular monitoring of telemetry data. Once our research team knew the tool’s name, we performed a more comprehensive check looking for potential tool versions available on threat intel sample sources by trying a string-based search. Once the tool completes the vulnerability scan, the results window displays the results of all affected relational database management systems. In this case, the file name is mysql.txt. This file contains the URL that the tool found vulnerable to SQL injection. The full URL pops out by hovering the mouse over each link, including the target web resource, the parameters and the injection points used by the tool. Each Google result appears to include the results of a website’s search query, which also includes the SQL injection query string. For instance, in the tool's default configuration, it uses the inurl: dork to look for a particular pattern in the URL of the results and the site: dork to narrow the results focused on a specific domain. As seen in Figure 10 above, this tool supports up to 27 relational databases and one web application firewall (WAF). The scan results use the current date as the folder name, and the tool also generates a new filename based on the DBRM found in the scan. Figure 3 shows the Google search results that proved to be interesting. Figure 6 shows the different options provided by the tool. The final selection of information consists of an input file containing the IP address and port of the target application, which should contain the full URL including the parameters that set the SQL injection points. Our research indicates that attackers used this tool to perform vulnerability scans not only on our customers' web services but also on various online websites. The tool information is valuable from a defense standpoint, regardless of whether the detection strategy provided by the network security administrator is signature-based or machine learning-based. These similarities occurred among several payloads marked malicious by the cloud-based machine learning model designed to detect SQL injection. After some manual analysis, our researchers could not fully determine whether this traffic corresponded to a known vulnerability scanning tool or not. After investigating the pattern across the internet, we discovered cached Google results showing attempted SQL injections with the same string patterns reported by several individuals in their online security device log files. A machine learning model should be able to identify such activities whether the tool is commercial or not. Prisma Cloud web application and API security (WAAS) monitoring detects SQL injection attacks targeting cloud-based web applications and API applications. Machine learning model for SQL injection cloud detection triggers. Unlike most common vulnerability scanning software, this tool is not commercially available to the public through regular software acquisition methods. After we made several searches online through search engines and code repositories, trying to map out the payload content and its related tool, our search came up empty.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Tue, 01 Oct 2024 10:13:06 +0000