Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing the web application firewalls (WAF) of several industry-leading vendors.
The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform.
The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes.
The experts pointed out that they were able to exploit the SQL injection vulnerability against the on-premises version, while hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.
Then the experts started investigating how to bypass the AWS WAF.
The researchers discovered that appending JSON syntax to SQL injection payloads allows bypassing the WAF because it is unable to parse it.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.