The website of security vendor F-Secure Corp. is the latest victim in a series of SQL injection attacks targeting security firms.
A Romanian hacker has detailed the latest SQL injection attack in a posting on the hackersblog.org forum. The anonymous hacker said he viewed some statistics regarding past virus activity after exploiting coding errors on the Helsinki, Finland-based antivirus vendor's website. The hacker said the website was vulnerable to both SQL injection and cross-site scripting attacks.
The hacker posted screenshots of the SQL Server information and database table names.
David Frazer, director of technology services for F-Secure's North American division confirmed the breach late Wednesday. Frazer said the database server breached was considered extremely low level and contained virus statistical information. Members of the F-Secure IT team have pulled the server down to investigate, he said.
"It was not even part of our critical infrastructure, nonetheless we're considerably embarrassed," he said. "As a security company it's still something that we should make sure is patched and up to date."
Frazer said the IT team is fairly certain that no other systems had been breached.
It is the second time in recent days that an antivirus vendor was the target of an attack. A Romanian hacker detailed a similar successful SQL injection attack against a Kaspersky Lab support website on Saturday, exposing a server containing thousands of customer email addresses and up to 25,000 activation codes.
The attack took place Feb. 7, but the information was exposed 10 days prior to the attack. The Russian-based antivirus company responded by hiring high-profile database security expert David Litchfield to conduct an independent audit of its systems.
The hacker also claimed to have exploited a vulnerability in a partner website associated with BitDefender.
By Robert Westervelt