Cassandra injection vulnerability triggered

Tactic:

TA0010-exfiltration

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect successful exploits of the CQL injection vulnerability.

Strategy

Monitor CQL injection patterns and Cassandra queries executed.
When a match is detected (that is, when the malicious pattern is found in a query as functional tokens: @appsec.security_activity:vulnerability_trigger.cassandra), those specific requests are highlighted.

The signal severity is determined based on whether the application threw an error when processing the CQL queries.

  • CRITICAL An CQL injection vulnerability was exploited and impacts the system. The attackers might have exfiltrated data, tampered with your databases, or taken over the server.
  • HIGH An CQL injection vulnerability has been triggered. However, the application threw a CQL exception during execution indicating they might not have succeeded at impacting the system.

Triage and response

  1. Consider blocking the attacking IPs temporarily to slow down the further exploitation of your infrastructure.
  2. Leverage traces to determine the vulnerable queries, and fix the code.
  3. Investigate your database servers’ logs to figure out the extent of the exploit.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft