MSSQL Databases Under Fire From FreeWorld Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


MSSQL Databases Under Fire From FreeWorld Ransomware


The sophisticated attacks, tracked as DB#JAMMER, run shell commands to impair defenses and deploy tools to establish persistence on the host.



A cyberattack campaign has been discovered compromising exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.
According to an investigation by Securonix, the typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called FreeWorld, named for the inclusion of the word FreeWorld in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is .FreeWorldEncryption.
The attackers also establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk; and, they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network. And finally, the threat actors also carried out configuration changes, from user creation and modification to registry changes, to impair defenses.
Securonix calls the campaign DB#JAMMER, and the research team said it exhibits a high level of sophistication in terms of the attackers utilization of tooling infrastructure and payloads, as well as its rapid execution.
Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads, Securonix researchers
noted in the report
.
This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors, says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix.
Kolesnikov points out the campaign is still ongoing, but his assessment is that it is a relatively targeted campaign at its current stage.
Our current assessment at this stage is the risk level is medium to high because there are some indications the infiltration vectors used by attackers are not limited to MSSQL, he adds. 
 The discovery of this latest threat arrives as ransomware is on track to victimize
more organizations in 2023
, with attackers rapidly escalating attacks to wreak widespread damage before defenders can even detect an infection.
Kolesnikov advises that enterprises to reduce their attack surface associated with MSSQL services by limiting their exposure to the internet, and, if feasible — the victimized MSSQL database servers have had external connections and weak account credentials, researchers warn — and are popular repeat targets. In one instance
observed by AhnLab researchers
, credentials for a breached MSSQL server were compromised by several threat actors, leaving traces of various ransomware strains, Remcos RAT, and coinminers.
Additionally, security teams must understand and implement defenses related to the attack progression and the behaviors leveraged by the malicious threat actors, he says, including restricting the use of xp_cmdshell as part of their standard operating procedure. The report also recommended that organizations monitor common malware staging directories, in particular C:WindowsTemp, and deploying additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.
Malicious activity targeting vulnerable SQL servers has surged 174% compared to 2022, a July report from Palo Altos Unit 42
discovered
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MSSQL Databases Under Fire From FreeWorld Ransomware