Image: vecstock (freepik)
An ongoing digital offensive is focusing on vulnerable Microsoft SQL (MS SQL) databases with the intent to distribute ransomware along with Cobalt Strike payloads.
Details of the Digital Offensive
These malicious entities pinpoint vulnerable MS SQL servers, striving to gain access through the relentless trial of various credentials. Upon successful authentication, they proceed to probe the database. A frequently activated xp_cmdshell function further empowers these cyber adversaries to execute shell commands on the targeted system, thereby initiating multiple payloads.
Their subsequent actions include:
- Instituting new user profiles on the compromised system
- Adjusting the registry to guarantee a seamless connection
- Deactivating the system’s protective firewall
- Linking to an external SMB share which facilitates the installation of supplementary tools. This encompasses the Cobalt Strike command and control payload, along with the AnyDesk remote access tool (RAT).
Furthermore, they download a sophisticated port scanner to identify potential channels for internal network exploration and use Mimikatz to facilitate credential acquisition.
Experts from Securonix noted that the swift sequence of command executions suggested the perpetrators were potentially referencing a predetermined set of instructions or tools. Ultimately, they release the FreeWorld ransomware, a derivative of the Mimic ransomware. Both these strains seem to exploit the legitimate “Everything” application to pinpoint and select files for encryption.
Files subjected to encryption receive the “.FreeWorldEncryption” extension. Post encryption, a ransom directive detailing the payment process for decryption surfaces.
Status of MS SQL Servers
Recently, Trustwave set up decoy servers imitating nine prevalent database systems across pivotal global regions. Their observations revealed that a staggering 93% of assault activities were directed at MS SQL decoys.
The appeal of MS SQL servers for digital criminals stems from their extensive deployment and the potential treasure trove of data they hold. Additionally, these servers can be manipulated for tasks like cryptomining or serving as proxy servers.
For ensuring the security of MS SQL servers, administrators are advised to:
- Restrict the activation of the xp_cmdshell stored procedure
- Permit server access exclusively through VPN
- Keep a vigilant eye on typical malware initiation directories
- Augment logging mechanisms to bolster detection capabilities
- Experts deduced that the initial breach was orchestrated through a brute force attack targeting an MS SQL server. The precise modus operandi – whether it was dictionary-driven or randomized password attempts – remains ambiguous. Yet, the imperative nature of robust password protocols, particularly for publicly accessible services, stands underscored.