Mass meshing is a new type of redirection attack that differs from SQL injection in a number of critical ways. The most damaging difference is how users can mitigate the risks of a SQL injection versus the difficulties of defending against a Mass Meshing attack.
The mass mesh approach is in contrast with a traditional SQL injection attack where the site is injected with a malicious script that includes a redirector to a harmful domain. Those harmful domains can then just be blacklisted as a means of defense. With mass meshing, since the meshed sites are legitimate and always changing, it's significantly more difficult to simply block URLs.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iWith SQL injection, an attacker exploits some kind of SQL flaw in order to inject code. With mass meshing, Huang said the attacker is in complete control of a website.
"So we believe this injection is not SQL but rather is done through control of infected sites using an automated FTP program," Huang said.
Huang suspects that the attackers have somehow gained access to site login credentials, which are then used by the FTP program to access the site and inject the mass meshing script.
"Some may have obtained access through shared hosting vulnerabilities, but also through Web admins that have been infected with other malware," Huang said. "There is also malware that sniffs FTP traffic."
If a site admin connects to their server through an unencrypted FTP link, someone else on the wire can "sniff" the password. Huang admitted it's not entirely clear how site access was obtained. He also noted that he hasn't yet been able to examine site logs for infected sites to try and positively identify the source IP or route taken by the mass meshing injection attackers.
From a payload perspective, Huang said that the mass meshing attackers are using multiple types of exploit packs, though the Blackhole exploit pack appears to be the most common. With the exploit packs new exploits are served to the end-ueser based on their environment. The exploits often target browser plug-in vulnerabilities on the end user's system. As such, one way to reduce the risk for end-user is to keep their systems up to date with the latest patches for browsers and plug-ins like Flash.
On the server side, mass meshing mitigation techniques are also different than SQL injection. Huang noted that Armorize has a Web application firewall (WAF) called SmartWAF that can help defend against SQL injection but a WAF isn't going to help against mass meshing. The problem is that the attackers already have full administrative control of the site so a WAF won't matter.
While a site could potentially identify the mass meshing script and simply remove it, Huang notes that's not enough. Since the attackers have admin access they can just come back and inject again. Protecting admin access for site control is the key step that needs to be taken. "First I'd suggest that sites change their FTP password and to make sure they're not using unencrypted FTP," Huang said. "Also, use HTTPS and not HTTP when updating content and check for backdoors or other types of shells."