Databases Hit by a New Attack Dubbed DBREACH, Researchers Say
The DBREACH Attack Method Allows a Threat Actor to Recover Users’ Encrypted Data.
During a Black Hat US 2021 hybrid event that occurred last week, researchers presented details of a new kind of attack targeting databases.
Databases are created to ease the data storage, change, and removal at the same time with numerous data-processing actions. Their importance in any type of company makes them so appealing to malicious actors.
According to the researchers, the attack dubbed Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics (DBREACH) has the capacity to cause information disclosure or even loss.
Additionally, threat actors are able to surveil the database operation patterns (for example Denial of Service (Dos)), and seek a single user with an unexpectedly high number of updates.
Mathew Hogan, a researcher at Black Hat claims that many modern databases have compression and encryption put together for a simple reason: cost minimization.
Nevertheless, Hogan explained this can potentially leave the data exposed for a new category of flaws identified as side-channel attacks.
With DBREACH, an attacker is able to recover other users’ encrypted content by utilizing a compression side channel. We believe this is the first compression side-channel attack on a real-world database system.
DBREACH Techniques Similar to CRIME’s
In their presentation, the security researchers presented excruciating information about the DBREACH attack operation mode. This type of attack employs some of the methods used by the Compression Ratio Info-leak Made Easy (CRIME) attack.
The CRIME attack, first disclosed in 2013, targets Transport Layer Security (TLS).
During their study, the researchers investigated and applied their hypothesis on the MariaDB open-source database functioning with the InnoDB storage engine. As stated by Hogan, the same techniques will likely work on other databases that use compression and encryption simultaneously.
In order to be successful, during a DBREACH attack, the cybercriminal needs to have the ability to introduce and update a database table using a web interface, and also be able to approximate how big a compressed table is.
We believe that this threat model is realistic and achievable. The update capability can be achieved through a front-end web interface that’s backed up by a database table, which is something that’s really common in a lot of databases.
How Can Potential Risks Be Mitigated?
Well, there are a few ways. Firstly, database administrators are recommended to stay away from column-level permission features. Companies were urged by the researchers to monitor database usage patterns to detect abnormal activity.
Hogan added that the only way to advert DBREACH attacks is to “turn off compression. ”
We believe that this really drives home the point that compression and encryption should be combined very carefully, lest you or your system fall victim to compression side-channel attack.