September 29, 2023

Ransomware campaigns are utilizing internet-exposed Microsoft SQL databases as a beachhead to launch assaults on sufferer methods, in response to researchers.

Cybersecurity firm Securonix mentioned that it discovered examples of hackers exploiting Microsoft SQL (MSSQL) — a well-liked software program product that helps customers retailer and retrieve information requested by purposes. Microsoft’s model is one among a number of database managers that use SQL, quick for structured question language.

Oleg Kolesnikov, vice chairman of menace analysis at Securonix, instructed Recorded Future Information that the standard assault sequence begins with hackers making an attempt to achieve entry to uncovered Microsoft SQL databases via brute forcing — a hacking technique that makes use of trial and error to crack passwords.

Securonix researchers mentioned it was unclear if the hackers are “utilizing a dictionary-based, or random password spray makes an attempt.”

As soon as a database’s password is cracked, “the attackers broaden their foothold throughout the goal system and use MSSQL as a beachhead to launch numerous totally different payloads,” together with distant entry trojan (RAT) malware and ransomware, Kolesnikov mentioned.

“This isn’t one thing we have now been seeing typically, and what actually units this assault sequence aside is the in depth tooling and infrastructure utilized by the menace actors,” he mentioned.

After the hackers break in, they use a wide range of instruments to map out the community, steal credentials and ultimately deploy ransomware.

Securonix didn’t attribute the assaults to any recognized group however discovered that the hackers deployed ransomware known as FreeWorld, a brand new variant of the Mimic ransomware. Mimic was spotlighted earlier this yr by researchers at TrendMicro after first being seen within the wild in June 2022.

It targets Russian- and English-speaking customers and TrendMicro mentioned there are indicators tying it to the Conti ransomware builder that was leaked final yr.

“Given how rapidly the attackers started working, this assault seems to be fairly refined from tooling to infrastructure,” Securonix researchers mentioned.

Utilizing respectable IT instruments

The hackers painstakingly disable the system’s defenses earlier than creating administrator accounts that present them with widespread entry.

Within the case examined by Securonix, the menace actors tried numerous totally different strategies as a way to exfiltrate information and import the instruments wanted to achieve additional persistence within the sufferer methods.

A number of instruments have been blocked by the sufferer’s firewall, however the hackers ultimately succeeded with the AnyDesk distant entry software program — a respectable IT software more and more common amongst menace actors. The Cybersecurity and Infrastructure Safety Company (CISA) warned earlier this yr that malicious hackers are deploying industrial distant monitoring and administration (RMM) software program.

“Upon execution, the ransomware started encrypting the sufferer host and generated encrypted information utilizing the ‘.FreeWorldEncryption’ extension. As soon as it has run via its course, it would create a textual content file named ‘FreeWorld-Contact.txt’ with directions as to the way to pay the ransom,” the Securonix report mentioned.

The corporate mentioned organizations utilizing Microsoft SQL databases mustn’t expose them to the web — recommendation that CISA has been pushing extra fervently in latest months.

The company mentioned in June that it’s now working with federal companies to take away community administration instruments from the public-facing web after researchers found a whole lot have been nonetheless publicly uncovered.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than shifting again to New York Metropolis, he labored for information retailers in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.