This week, we’ll talk about a vulnerability in a WordPress plugin, a novel Linux malware, and an open source tool called Osquery. Let’s jump right in!
Hide My WP SQL Injection Vulnerability (CVE-2021-36916)
According to the plugin’s webpage, Hide My WP is a WordPress plugin that hides your website from attackers, spammers, and theme detectors. As of this writing, it has over 26,000 active users. According to the patchstack report, this plugin’s versions before 6.2.3 are vulnerable to an unauthenticated SQL injection attack. Patchstack advises updating this plugin to version 6.2.4 to mitigate this vulnerability.
CronRAT Linux Malware
Discovered by Sansec, CronRAT is a Linux malware that targets eCommerce servers. Like many RATs (Remote Access Trojan), it provides an attacker remote access to the affected system using a C2 (Command and Control) server and allows the RAT operator to run any code.
According to the article, its main feat is hiding in the calendar subsystem of Linux (also known as ‘cron’) on a nonexistent day. It also uses a custom binary protocol to communicate with the operator’s server to avoid detection by common detection mechanisms like firewalls and intrusion detection systems. You can check out the article written by Sansec to gather information on the IoCs for this malware.
Osquery & FleetDM
Osquery, originally developed by Facebook, is an open source project, and it exposes an operating system as a high-performance relational database. This allows its users to query a wide range of information about the device it’s installed on using SQLite queries. This information can be running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and more. We actively use Osquery alongside other open source tools to monitor our infrastructure.
Another free and open source tool, FleetDM, allows you to deploy Osquery agents to multiple devices and manage them easily. You can schedule queries, write query packs, and perform threat hunting using the web interface provided by FleetDM. Check out this repository that provides pre-written query packs, so you can hit the ground running if you deploy your own Fleet.
Osquery In Action
To demonstrate the usefulness of Osquery, we’re going to take a look at one of the IoCs of CronRAT. According to the article, one indicator is that this RAT hides itself as a cronjob on a nonexistent day, namely February 31st. We can use the following query to look for cronjobs that are written to run on this specific date:
SELECT * FROM crontab WHERE month = 2 AND day_of_month = 31 ;
This query will gather information from the target device using the crontab table that Osquery manages. You can check out the schema for a detailed view of the tables that can be queried on different operating systems.
Contributing to open source tools while sharing the community’s knowledge helps us all secure our systems. We will be sharing more about the tools we use to secure our infrastructure in upcoming security digests. In the meantime, we would love to hear about your favorite open source security tools. Feel free to comment down below and stay tuned for more updates from us.