Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Description:
MS-SQL server is a database server of the Windows environment, and it has consistently been a target of attack. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute force, and dictionary attacks against poorly managed servers. The attacker usually scans port 1433 to check for MS-SQL servers open to the public. It then performs brute-forcing or dictionary attacks against the admin account, to attempt logging in. According to the ASEC researcher, the attackers are seen to download cobalt strike via a command shell process onto the compromised MS-SQL and is injected and executed in MSBuild.exe to evade detection. After execution, a beacon is injected into the legitimate Windows wwanmm.dll process and waits for the attacker's commands while staying hidden inside a system library file
Source:
Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike (thehackernews.com)
Impact:
Upon successful login into the admin account through these processes, an attacker can use various methods including the xp_cmdshell command to execute the command in the infected system
Suggestions and Recommendations:
We strongly suggest using a strong password policy.
CriticalStored XSS vulnerability in Horde Webmail Software - Account Takeover via Email
Description:
A code vulnerability in Horde was discovered that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.
An attacker can craft an OpenOffice document that
when transformed to XHTML by Horde for preview
can execute a malicious JavaScript payload. The
vulnerability triggers when a targeted user views an
attached OpenOffice document in the browser. As a
result, an attacker can steal all emails the victim has
sent and received
Source:
9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software (thehackernews.com)
Impact:
Upon successful execution of attack can
lead to the account takeover via email
Suggestions and Recommendations:
Since there is no official patch available yet,
we highly recommend all Horde Webmail
users to disable the affected feature
Malicious JS Libraries Distributed via Official NPM Package Repository
Description:
25 destructive JavaScript libraries have been found on the official NPM package registry with the goal of stealing Discord token and environment variables from compromised systems. The libraries leveraged typo-squatting techniques and masqueraded as other legitimate packages such as colors.js, cryptojs, discord.js, marked, and noblox.js. The detailed disclosed report can be found here. All of the reported malicious packages were quickly removed by the npm maintainers
On December, 17 malicious npm packages were also uncovered. They were also designed to steal Discord tokens. These packages were able to hijack account credentials, allowing attackers to take over a Discord server
Source:
Impact:
If an attacker is able to steal tokens, they can
be used to infiltrate a victim's account and
hijack Discord servers. They can also be
valuable assets suitable for sale in the
underground criminal markets.
Suggestions and Recommendations:
Although the npm maintainers have removed
the malicious packages, We still recommend
changing your discord password.
Dangerous privilege escalation bugs found in Linux package manager Snap
Description:
A privilege escalation vulnerability has been identified in the Snap software package manager that affects the Linux-based operating systems. The issue being tracked as CVE-2021-44731 exists due to a race condition in the ‘snap-confine’ function, a program used internally by snapd to construct the execution environment for snap applications. A local attacker can use this flaw to gain root privileges by bind-mounting their own contents inside the snap’s private mount namespace and causing ‘snapconfine’ function to run arbitrary code
CVE-IDs:
CVE-2021-44731
Source:
New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager (thehackernews.com)
Impact:
Successful exploitation of this issue might
allow an attacker to escalate privileges and
gain root access to the affected system
Suggestions and Recommendations:
The patch has been released and we
strongly recommend upgrading the snap to
the latest version.