A cyberattack campaign has recently been identified, which aims at compromising exposed Microsoft SQL Server (MSSQL) databases. The attackers are employing brute-force attacks to deliver ransomware and Cobalt Strike payloads, as discovered by Securonix, a security investigation company. The attack sequence typically begins with the cybercriminals brute-forcing their way into the vulnerable MSSQL databases. Once they gain initial access, they expand their presence within the target system and leverage MSSQL as a launching point for various types of payloads, including remote-access Trojans (RATs) and a new variant of ransomware named “FreeWorld.”
What sets this campaign apart is the attackers’ high level of sophistication in using tooling infrastructure and different payloads, allowing for rapid execution of the attack. Securonix researchers identified several tools employed by the threat actors, such as enumeration software, RAT payloads, exploitation and credential stealing software, and ransomware payloads. Oleg Kolesnikov, the Vice President of Threat Research and Cybersecurity at Securonix, emphasized the extensive tooling and infrastructure used by the attackers, noting that it is not commonly seen in such attacks.
The campaign, named “DB#JAMMER” by Securonix, is still ongoing. However, Kolesnikov believes it is currently a relatively targeted campaign. The risk level is considered medium to high, as the infiltration vectors used by the attackers may not be limited to MSSQL servers alone. It is important to note that this discovery comes at a time when ransomware attacks are on the rise, with attackers intensifying their efforts to cause widespread damage before detection.
To mitigate the risk associated with MSSQL services, Kolesnikov advises enterprises to reduce their attack surface by limiting exposure to the internet. In addition, MSSQL database servers should avoid external connections and weak account credentials, as they are popular targets for attackers. The compromise of credentials for breached MSSQL servers has led to traces of various ransomware strains, Remcos RAT, and coinminers in previous instances, as observed by AhnLab researchers.
Furthermore, Kolesnikov recommends that security teams implement defenses that address the attack progression and behaviors leveraged by malicious threat actors. This includes restricting the use of xp_cmdshell and monitoring common malware staging directories, such as “C:\Windows\Temp.” Deploying additional process-level logging tools like Sysmon and PowerShell logging can also enhance log detection coverage.
According to a report from Palo Alto’s Unit 42, malicious activity targeting vulnerable SQL servers has increased by 174% compared to the previous year. This demonstrates the urgency for organizations to prioritize MSSQL security and take proactive measures to protect their databases from cyber threats.
In conclusion, the discovery of a cyberattack campaign targeting exposed MSSQL databases highlights the need for enhanced security measures. Organizations must limit their attack surface, strengthen their credentials, and implement effective defenses against malicious activities. By staying proactive and vigilant, enterprises can better protect their critical systems and data from cybercriminals seeking to exploit vulnerabilities.