The STAC6451 threat actor cluster has recently emerged as a significant cyber threat targeting organizations in India, with their attacks primarily focused on exploiting vulnerable Microsoft SQL Server database instances that are directly exposed to the public internet. Since its first observed presence in March 2024, this cluster has gained notoriety for targeting SQL servers that are often configured with default settings and weak credentials, making them susceptible to brute-force attacks.
Once the threat actors gain access to these compromised servers, they leverage a combination of sophisticated tools and techniques to establish persistence within the network, move laterally, and deploy malicious payloads such as the Mimic ransomware. This modus operandi is indicative of a well-organized and determined group that is adept at exploiting weaknesses in SQL server configurations to infiltrate networks and compromise sensitive data.
In their attack chain, STAC6451 initiates the breach by brute-forcing exposed SQL servers to gain unauthorized access. Once inside, they enable the xp_cmdshell stored procedure, a powerful feature that allows them to run operating system commands through the SQL Server service, essentially granting them control over the compromised system. This maneuver enables the threat actors to conduct reconnaissance activities to gather crucial information, such as system version, hostname, and user credentials, in an automated fashion across different victim environments.
Following this initial breach, STAC6451 employs the Bulk Copy Program (BCP) to stage their malicious payloads, including ransomware binaries and privilege escalation tools, within the compromised SQL database. By misusing this command-line utility to export harmful files, the threat actors can embed their malicious tools within legitimate database operations, circumventing traditional security measures and evading immediate detection.
Subsequent to deploying their payloads, STAC6451 focuses on lateral movement and persistence within the compromised network. The group creates new user accounts with administrative privileges, such as “ieadm” and “helpdesk,” to facilitate continued access even if their initial entry point is detected and remediated. Additionally, they modify the registry to enable the Wdigest authentication protocol, simplifying the retrieval and reuse of credentials for further lateral movement within the environment.
Moreover, STAC6451 showcases adaptability in their attacks by using scripts in various languages, suggesting a global reach and the ability to target organizations across different regions and industries. Their utilization of automation throughout the attack lifecycle indicates a well-coordinated effort to compromise multiple networks simultaneously, underscoring the need for organizations to implement robust security measures.
Although Sophos MDR has effectively thwarted ransomware deployment and other post-compromise activities in certain instances, the continued threat posed by STAC6451 highlights the importance of proactive security measures such as proper SQL server configuration, network segmentation, and vigilant monitoring for suspicious activity. As this threat actor cluster remains active and demonstrates proficiency in exploiting SQL server vulnerabilities, organizations must remain vigilant and enhance their cybersecurity defenses to mitigate the risk of falling victim to such advanced cyber threats.