3CX warns customers to disable SQL database integrations
VoIP communications company 3CX warned customers today to disable SQL Database integrations because of risks posed by what it describes as a potential vulnerability. [...]
SQL is the language used to query databases, making injection flaws, insecure permissions, and exposed data important security risks.
Search across headline titles and summaries.
Background for this topic.
SQL is the language commonly used to query and modify relational databases, which store structured application data such as accounts, transactions, and records. In information security, SQL matters both as a core data-access technology and through vulnerabilities in the applications, database engines, and administration interfaces that use it.
SQL injection occurs when an application combines untrusted input with SQL commands, allowing an attacker—depending on the flaw and database permissions—to read, alter, or delete data or bypass application controls. Developers should use parameterized queries or prepared statements, avoid building commands through string concatenation, and apply least-privilege database accounts. Security teams should also track database and driver vulnerabilities, restrict administrative access, protect credentials, and monitor query and authentication logs. Input validation can supplement these controls but is not a reliable substitute for separating data from executable SQL.
VoIP communications company 3CX warned customers today to disable SQL Database integrations because of risks posed by what it describes as a potential vulnerability. [...]
The fresh-faced cybercrime group has been using nothing but publicly available penetration testing tools in its campaign so far.
Gambling and Retail Firms Top Targets of 'GambleForce' Group, Researchers WarnA recently spotted hacking group with a penchant for using open source tools has been using a less-than-novel tactic: exploiting SQL injection flaws. So warn researchers who recently detected attacks by the group, codenamed GambleForce, which appears to focus on gambling and retail firms.
Group-IB warns of new threat actor GambleForce, which uses SQL injection attacks to steal data from websites
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023