We confirm that the vulnerability existed in the new version of usa.kaspersky.com/support. We analyzed the log files and found requests with SQL injection. There were several attackers with IP addresses from Romanian ISPs. The requests were initially made with an automated tool – the screenshots showed that the hackers used a free edition of an Acunetix tool.
Once the initial probes told the attackers that this section was vulnerable they attempted to manually exploit the vulnerability to get data about the structure of the database. They used an Information_Schema database to query existing table names and table columns. After collecting field names the attackers made a few attempts to extract the data from tables. Those queries failed because the attackers specified the wrong database. The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE,INSERT,DELETE… were logged.
As I suspected (obvious from at least one screenshot on the hacker’s blog), the Romanian hackers used the free Acunetix tool to find the vulnerabilities (although I thought the free version was limited in scope, but apparently not).
Here is something a little more interesting:
After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response.
Incidentally, it has also been written that Bitdefender was hacked. Actually, it was their Portuguese reseller, a company called Uptrends Software, that was responsible for that site.