Search This Blog

Showing posts with label SQL. Show all posts

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.

SQL Triggers Used by Hackers to Compromise User Database

 

Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin-level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website. 

Potential for protection is one factor why the MySQL database has its own unique username and password, which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website's database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments. 

An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.

An intruder's approach is to set an admin user in the CMS database of the website. Usually, these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the webserver. This knowledge is critical since owners of a compromised website will also forget the index. However, the exclusion of suspected users from the database of the website does not entail the removal of any potential backdoors. 

A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been several useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.

If attackers breach a site, they will bet on any database passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the website even after the user has assumed the infection was removed.