In a recent attack campaign called DB#JAMMER, hackers targeted poorly secured Microsoft SQL (MSSQL) servers and deployed Cobalt Strike and the FreeWorld variant of the Mimic ransomware through brute-force attacks. This has become a common tactic used by various groups of attackers, including ransomware gangs, due to the vulnerabilities found in MSSQL servers.
Securonix, a security firm, recently released a report detailing the DB#JAMMER attack campaign. The report highlights the utilization of various tools and payloads by the attackers. These tools include enumeration software, RAT payloads, exploitation and credential stealing software, and ransomware payloads.
The attackers gained initial access to the MSSQL servers by using brute-force techniques to guess credentials. However, it is not clear whether this involved dictionary-based or password spray attempts. Password spray attempts typically involve using username and password combinations obtained from other database breaches.
Once the attackers gained access, they began investigating the database. They enumerated all the users with access and checked if the xp_cmdshell function was enabled. This function allows the execution of shell commands in Windows, providing the attackers with the ability to gather information about the system and network environment. They used tools such as wmic.exe, net.exe, and ipconfig.exe to collect information.
The attackers also made modifications to Windows accounts and the system registry, leveraging the xp_cmdshell function extensively. They created three new users: windows, adminv$, and mediaadmin$. These users were added to the ‘remote desktop users’ and ‘administrators’ groups. Interestingly, the attackers used variations of a command to create the users and modify group membership, accounting for different language groups such as English, German, Polish, Spanish, and Catalan.
Further modifications were made to the new users to ensure their passwords and logged-in sessions would never expire. Extensive changes were also made to the registry, including enabling the Remote Desktop Protocol (RDP) service, disabling User Access Control restrictions, and hiding remote logged-in users from the local login screen.
The DB#JAMMER attack campaign highlights the growing threat of poorly secured MSSQL servers and the appeal they hold for hackers. Organizations that rely on MSSQL servers need to implement robust security measures to protect against brute-force attacks and the deployment of malicious payloads.
In conclusion, the DB#JAMMER attack campaign targeted insecure MSSQL servers using brute-force techniques and deployed Cobalt Strike and the FreeWorld ransomware variant. The attackers utilized various tools and payloads to compromise the servers, gather information, and make modifications to the system and registry. This highlights the need for organizations to prioritize the security of their MSSQL servers and implement measures to prevent unauthorized access and potential ransomware attacks.