Cybercriminals target MS SQL servers to deliver ransomware
A cyberattack campaign is targeting exposed Microsoft SQL (MS SQL) databases, aiming to deliver ransomware and Cobalt Strike payloads.
The attack campaign
The attackers target exposed MS SQL servers by brute-forcing access credentials. After having successfully authenticated, they start enumerating the database. A (too often) enabled xp_cmdshell function also allows attackers to run shell commands on the host and launch several payloads.
Attackers then:
- Create new users on the victim host
- Make registry changes to ensure successful connection
- Disable the system’s firewall
They connect to a remote SMB share that allowed them to install additional tools, including a Cobalt Strike command and control payload and the AnyDesk remote access tool (RAT).
They also download an advanced port scanner to help them discover avenues for lateral movement and Mimikatz to enable credential dumping.
“Commands were executed in rapid succession indicating that they were likely copying them from a tool list or document on their end,” the Securonix researchers said.
Finally, they deploy the FreeWorld ransomware, which is a variant of Mimic ransomware. “It follows many similar TTPs in order to carry out its goals. Both variants appear to abuse the legitimate application Everything to query and locate target files to be encrypted,” they added.
The encrypted files get the “.FreeWorldEncryption” extension and, once the ransomware has finished encrypting, the ransom note with instructions on how to pay to get the files decrypted is shown.
MS SQL servers under attack
Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total.
MS SQL servers are an attractive target for cybercriminals because they are widely used and they often store valuable data.
Attackers also find them useful because they can make them part of a cryptomining botnet or use them as a proxy server.
To keep MS SQL servers safe, admins should:
- Limit the use of the xp_cmdshell stored procedure
- Allow access to the server only via VPN
- Monitor common malware staging directories
- Extend logging to improve detection coverage
“The attack initially succeeded as a result of a brute force attack against a MS SQL server. It was unclear if the attackers were using a dictionary-based, or random password spray attempts. However it’s important to emphasize the importance of strong passwords, especially on publicly exposed services,” the researchers concluded.