September 26, 2023

Threat actors are using FARGO ransomware targeting Microsoft SQL servers.

Initial threat vector not known, but the attacks targeting database servers include brute force and dictionary attacks aimed at ferreting out the passwords of existing, poorly secured accounts.

Advertisements

After the MS SQL server has been compromised, the attackers make it download a .NET file via Command Prompt and PowerShell which in turn downloads and loads additional malware.

The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory.

The ransomware’s behavior begins by being injected into AppLaunch.exe. It attempts to delete a registry key on a certain path, and executes the recovery deactivation command, and closes certain processes.

Advertisements

The ransomware encrypts some files and avoids others, including files with an extension associated with its own activities (.FARGO, .FARGO2, etc.) and that of GlobeImposter, another ransomware threat targeting vulnerable MS SQL servers.

To prevent falling victim to this and other threats coming via compromised MS SQL servers, admins are advised to regularly patch their installations and to use complex, unique passwords to protect their accounts

Tags:

Leave a Reply

You may have missed

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023
%d bloggers like this: