A Trojan named Chikdos has begun infecting MySQL servers by taking advantage of a SQL injection exploit, with the potential to launch a widespread epidemic of DDoS attacks.
As the second most popular database management system in the world, such a straightforward intrusion into MySQL could play havoc for many of the firms that use it.
Chikdos itself is actually two years old, first documented in 2013 by the Polish Emergency Response Team at CERT.PL.
Symantec, who discovered the new activity, have concluded that the new versions of Chikdos that are being used for the attacks aren’t far removed from the 2013 original in terms of their complexity or capacity for harem, but it’s more their direct injection into MySQL servers that is the major risk.
The attack starts with a malicious piece of user-defined function (UDF) being downloaded, which then installs Chikdos. The Trojan then allows the malicious actor to use the server’s bandwidth for DDoS.
MySQL servers have now been discovered to be infected in Brazil, Canada, China, Italy, Malaysia, Mexico, the Netherlands, Nigeria, South Korea, Turkey and the United States.
Bipin Mistry, vice president of product management at Corero Network Security, believes the threat is real, and more complex than just the initial obvious outage:”In addition to the service outage impact of a DDoS attack of this nature, the security repercussions can be quite alarming as well,” he said.
“Findings of data exfiltration events have increasingly come on the heels of a DDoS attack, as this DDoS activity can be used to map or profile a network’s existing security defences, pinpointing holes in security or vulnerabilities to capitalize on. An onslaught of DDoS attack activity also distracts IT personnel, overwhelms data logging tools and can easily mask additional nefarious attack attempts.
Mistry suggests a more layered approach to security in order to confidently protect MySQL-based systems against Chikdos attacks.
“Organizations can properly protect themselves against this type of reflective attack with a layered security strategy that includes purpose-built, real-time DDoS mitigation technology at the Internet edge to supplement traditional IT and security infrastructure.”