A cyberattack campaign has been discovered compromising exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.
According to an investigation by Securonix, the typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called “FreeWorld,” named for the inclusion of the word “FreeWorld” in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is “.FreeWorldEncryption.”
The attackers also establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk; and, they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network. And finally, the threat actors also carried out configuration changes, from user creation and modification to registry changes, to impair defenses.
Securonix calls the campaign “DB#JAMMER,” and the research team said it exhibits a “high level of sophistication” in terms of the attacker’s utilization of tooling infrastructure and payloads, as well as its rapid execution.
“Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads,” Securonix researchers noted in the report.
“This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix.
Kolesnikov points out the campaign is still ongoing, but his assessment is that it is a relatively targeted campaign at its current stage.
“Our current assessment at this stage is the risk level is medium to high because there are some indications the infiltration vectors used by attackers are not limited to MSSQL,” he adds.
The discovery of this latest threat arrives as ransomware is on track to victimize more organizations in 2023, with attackers rapidly escalating attacks to wreak widespread damage before defenders can even detect an infection.
Keeping MSSQL Secure
Kolesnikov advises that enterprises to reduce their attack surface associated with MSSQL services by limiting their exposure to the internet, and, if feasible — the victimized MSSQL database servers have had external connections and weak account credentials, researchers warn — and are popular repeat targets. In one instance observed by AhnLab researchers, credentials for a breached MSSQL server were compromised by several threat actors, leaving traces of various ransomware strains, Remcos RAT, and coinminers.
“Additionally, security teams must understand and implement defenses related to the attack progression and the behaviors leveraged by the malicious threat actors,” he says, including restricting the use of xp_cmdshell as part of their standard operating procedure. The report also recommended that organizations monitor common malware staging directories, in particular “C:\Windows\Temp,” and deploying additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.
Malicious activity targeting vulnerable SQL servers has surged 174% compared to 2022, a July report from Palo Alto’s Unit 42 discovered.