October 2, 2023

Researchers have spotted an attack campaign that has been compromising exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.

The campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans and a new Mimic ransomware variant called FreeWorld, named for the inclusion of the word “FreeWorld” in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is “.FreeWorldEncryption.”

The attackers establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike C2 agent (srv.exe) and AnyDesk; and, they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network. The threat actors also carried out configuration changes, from user creation and modification to registry changes to impair defenses.

Advertisements

The campaign called as “DB#JAMMER,” and the research team said it exhibits a “high level of sophistication” in terms of the attacker’s utilization of tooling infrastructure and payloads, as well as its rapid execution.

To reduce attack surface associated with MSSQL services by limiting its exposure to the internet,

The report also recommended that organizations monitor common malware staging directories, in particular “C:\Windows / Temp,” and deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.

Malicious activity targeting vulnerable SQL servers has surged 174% compared to 2022, a July report from Palo Alto’s Unit 42 discovered.

Advertisements

The discovery of this latest threat arrives as ransomware is on track to victimize more organizations in 2023, with attackers rapidly escalating attacks to wreak widespread damage before defenders can even detect an infection.

This research was documented by researchers from Securonix

MITRE ATT&CK TTP

Initial Access

T1110: Brute Force

Discovery

T1046: Network Service Discovery

Defense Evasion

T1112: Modify Registry

T1562.001: Impair Defenses: Disable or Modify Tools

Persistence

T1098: Account Manipulation

T1505.001: Server Software Component: SQL Stored Procedures

Credential Access

T1003: OS Credential Dumping

T1110.001: Brute Force: Password Guessing

Lateral Movement

T1021.001: Remote Services: Remote Desktop Protocol

Command and Control

T1105: Ingress Tool Transfer

T1572: Protocol Tunneling

T1573.001:  Encrypted Channel: Symmetric Cryptography

T1219: Remote Access Software

Exfiltration

T1567: Exfiltration Over Web ServiceImpact

T1486: Data Encrypted for Impact

Indicators of Compromise

  • svr.exe
  • 8937A510446ED36717BB8180E5E4665C0C5D5BC160046A31B28417C86FB1BA0F
  • 9D576CD022301E7B0C07F8640BDEB55E76FA2EB38F23E4B9E49E2CDBA5F8422D
  • 867143A1C945E7006740422972F670055E83CC0A99B3FA71B14DEABABCA927FE
  • 80BF2731A81C113432F061B397D70CAC72D907C39102513ABE0F2BAE079373E4
  • 75975B0C890F804DAB19F68D7072F8C04C5FE5162D2A4199448FC0E1AD03690B
  • C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
  • 4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
  • 0A2CFFFB353B1F14DD696F8E86EA453C49FA3EB35F16E87FF13ECDF875206897
  • 74CC7B9F881CA76CA5B7F7D1760E069731C0E438837E66E78AEE0812122CB32D
  • 947AFAA9CD9C97CABD531541107D9C16885C18DF1AD56D97612DDBC628113AB5
  • 95A73B9FDA6A1669E6467DCF3E0D92F964EDE58789C65082E0B75ADF8D774D66
  • A3D865789D2BAE26726B6169C4639161137AEF72044A1C01647C521F09DF2E16
  • E93F3C72A0D605EF0D81E2421CCA19534147DBA0DDED2EE29048B7C2EB11B20A
  • CC54096FB8867FF6A4F5A5C7BB8CC795881375031EED2C93E815EC49DB6F4BFF
  • 68ED5F4B4EABD66190AE39B45FFF0856FBA4B3918B44A6D831A5B9120B48A1E9
  • 42396CE27E22BE8C2F0620EE61611D7F86DFE9543D2F2E2AF3EF5E85613CEE32
  • F9F6C453DA12C8FF16415C9B696C2E7DF95A46E9B07455CD129CE586B954870D
  • 569E3B6EAC58C4E694A000EB534B1F33508A8B5DE8A7AD3749C24727CC878F4D
  • 8937A510446ED36717BB8180E5E4665C0C5D5BC160046A31B28417C86FB1BA0F
  • 2D27F57B4F193A563443ACC7FE0CBF611F4FF0F1171FCBDF16C3ECEF8F9DBEDB
  • 2B68FE68104359E1BC044DB33B4E88B913E4F5BE69DA9FD6E87EA59A50311E6E
  • 11259F77F4E477CD066008FBFC7C31D5BBDC9EF708C4B255791EE380999A725C
  • BD1C3303D13CADF8BBD6200597E9D365EC3C05F1F48052CD47DCD69E77C94378
  • CD5A2EC1A95D754EE5189BFEE6E1F61C76A0A5EE8173DA273E02F24A62FACCFA
  • BEC3F75F638025A5FE3B8D278856FD273999C49AE7543C109205879B59AFC4C3
  • 2AC044936A922455C80E93F76CC3E2CE539FDAB1AF65C0703B57177FEB5326A6
  • FBC9BA3BA7387C38EB9832213B2D87CF5F9FC2BA557E6FDF23556665CA3EF44A
  • 08F827A63228D7BCD0D02DD131C1AE29BC1D9C3619BE67EA99D8A62440BE57AB
Tags:

Leave a Reply

You may have missed

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023

Exim Mail Transfer Server Vulnerabilities

September 30, 2023
%d bloggers like this: