[ad_1]
This week, we’ll discuss a vulnerability in a WordPress plugin, a novel Linux malware, and an open supply instrument known as Osquery. Let’s leap proper in!
Cover My WP SQL Injection Vulnerability (CVE-2021-36916)
In accordance with the plugin’s webpage, Cover My WP is a WordPress plugin that hides your web site from attackers, spammers, and theme detectors. As of this writing, it has over 26,000 lively customers. In accordance with the patchstack report, this plugin’s variations earlier than 6.2.3 are weak to an unauthenticated SQL injection assault. Patchstack advises updating this plugin to model 6.2.4 to mitigate this vulnerability.
CronRAT Linux Malware
Found by Sansec, CronRAT is a Linux malware that targets eCommerce servers. Like many RATs (Distant Entry Trojan), it supplies an attacker distant entry to the affected system utilizing a C2 (Command and Management) server and permits the RAT operator to run any code.
In accordance with the article, its foremost feat is hiding within the calendar subsystem of Linux (also called ‘cron’) on a nonexistent day. It additionally makes use of a customized binary protocol to speak with the operator’s server to keep away from detection by widespread detection mechanisms like firewalls and intrusion detection techniques. You’ll be able to take a look at the article written by Sansec to assemble data on the IoCs for this malware.
Osquery & FleetDM
Osquery, initially developed by Fb, is an open supply mission, and it exposes an working system as a high-performance relational database. This permits its customers to question a variety of details about the machine it’s put in on utilizing SQLite queries. This data may be operating processes, loaded kernel modules, open community connections, browser plugins, {hardware} occasions, file hashes, and extra. We actively use Osquery alongside different open supply instruments to observe our infrastructure.
One other free and open supply instrument, FleetDM, means that you can deploy Osquery brokers to a number of gadgets and handle them simply. You’ll be able to schedule queries, write question packs, and carry out risk looking utilizing the net interface supplied by FleetDM. Take a look at this repository that gives pre-written question packs, so you possibly can hit the bottom operating in the event you deploy your personal Fleet.
Osquery In Motion
To show the usefulness of Osquery, we’re going to check out one of many IoCs of CronRAT. In accordance with the article, one indicator is that this RAT hides itself as a cronjob on a nonexistent day, specifically February thirty first. We are able to use the next question to search for cronjobs which can be written to run on this particular date:
SELECT * FROM crontab WHERE month = 2 AND day_of_month = 31 ;This question will collect data from the goal machine utilizing the crontab desk that Osquery manages. You’ll be able to take a look at the schema for an in depth view of the tables that may be queried on totally different working techniques.
Contributing to open supply instruments whereas sharing the neighborhood’s data helps us all safe our techniques. We shall be sharing extra concerning the instruments we use to safe our infrastructure in upcoming safety digests. Within the meantime, we’d love to listen to about your favourite open supply safety instruments. Be at liberty to remark down under and keep tuned for extra updates from us.
[ad_2]