A new hacking tool operated via a smartphone to hijack websites is being praised on forums on a shady part of the Internet for its ease of use and ongoing support.
It’s called the “Katyusha Scanner,” after the Russian rocket launcher of the same name used during World War II. The SQL injection tool combines the Anarchi Scanner open-source penetration testing tool with the Telegram messaging service to allow a user to insert a list of websites they want tested for error-based, time-based and blind SQL injection flaws.
Capable of running attacks against several targets simultaneously, Katyusha doesn’t rely on a computer to run attacks but is operated via a smartphone, in this case the command structure being facilitated via Telegram. According to Recorded Future, which describes the tool as a “cyber weapon of war that fits in your pocket,” Katyusha was first released in April. Coupled with “outstanding support” and frequent updates, it has gained “accolades from grateful clients” because of “an intuitive and straightforward interface, as well as incredible performance.”
In addition to identifying vulnerabilities, Katyusha also can search for and export email password credentials, brute-force login credentials, automatically dump databases and upload web shells.
The main version of Katyusha Scanner is being offered on forums on the darknet for $500, with a light version with some limitations available for the cheaper price of $250 per license. For those not wanting to host the scanner themselves, a software as a service cloud-based version is available for $200 a month.
Although it sounds somewhat costly, the purchase price includes updates and support. The scanner already has undergone seven major updates since it was launched, presumably with the newer versions providing better SQL injection capabilities.
“The availability of a highly robust and inexpensive tool such as Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits,” Recorded Future researchers concluded.
Users can insert a list of websites they want tested for error-based, time-based and blind SQL injection flaws, and it will fire off attacks against several targets simultaneously.
Apart from identifying vulnerabilities, the tool can also search for and export email/password credentials, brute-force login credentials, and automatically dump databases and upload web shells.
Once the scan is completed, Katyusha will display an Alexa web rating for each target (for an immediate visibility into the popularity of the resource), and details about the found vulnerability.
The tool can scan for SQL injection flaws in applications that take advantage of a variety of popular relational databases that use SQL as the language for queries and maintenance (e.g. MySQL, MSSQL, DB2, SaP Max DB, Oracle, MS Access, PostgreSQL, and so on).
“The availability of a highly robust and inexpensive tool such as Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits,” the researchers noted, and advised administrators to take note and take action to protect assets under their control.
“Common defenses against SQL injection attacks include using parameterized statements as opposed to concatenating strings in code, using object relational mapping frameworks to generate SQL statements, proper escaping of special string characters in input parameters, and sanitizing inputs that appear suspicious,” they added.