Sophos MDR has recently uncovered a new threat activity cluster, known as STAC6451, that is targeting organizations in India. This cluster has been exploiting exposed Microsoft SQL Server database servers through port 1433 to compromise multiple organizations with the goal of deploying ransomware. The tactics, techniques, and procedures (TTPs) used by STAC6451 include abusing Microsoft SQL Servers for unauthorized access, utilizing the BCP utility to stage malicious payloads, and creating backdoor accounts for lateral movement and persistence.
The background of this campaign dates back to late March 2024 when Sophos MDR first observed activity related to this threat cluster. It was during a response to the compromise of an organization’s SQL Server that the threat hunters identified additional compromises with overlapping TTPs. This led to the formation of the STAC6451 cluster, characterized by the abuse of SQL databases in combination with the use of the BCP utility to download tools into target environments.
The initial access point for the threat actors involved targeting MSSQL database servers with simple account credentials exposed to the internet. By enabling the xp_cmdshell feature, the attackers were able to execute commands through the SQL service under the user session of “MSSSQLSERVER.” This allowed them to run reconnaissance commands to gather system details.
During the discovery and staging phase, the threat actors used various tools to stage payloads and executables within the compromised SQL database. They leveraged the bcp utility to export files to user-writable directories and deployed a variety of malicious tools, including webshells, privilege escalation tools, Cobalt Strike Beacons, and Mimic Ransomware binaries.
Lateral movement and persistence were achieved through the creation of multiple user accounts with elevated privileges and the execution of scripts to add these accounts to local administrator and remote desktop groups. The threat actors also attempted to add other malicious tools and conduct privilege escalation using techniques like PrintSpoofer.
The execution phase involved deploying ransomware launchers and initialization scripts to initiate the encryption of victim files. The actors used various tools and executables like Everything.exe, DC.exe, and Xdel.exe to facilitate the encryption process and hinder recovery efforts. Attempts to bypass protection technologies through changes in boot modes were also observed.
The command and control (C2) phase involved the deployment of a unique Cobalt Strike loader with obfuscation techniques to establish communication with a malicious domain. The attackers utilized a compromised webserver to host their payloads and attempted to access LSASS memory credentials using DumpMinitool.
Overall, the impact of this threat activity cluster includes data collection efforts, attempted deployment of Mimic Ransomware binaries, and potential exfiltration of sensitive information. The threat actors have demonstrated moderate sophistication in their tactics but have also shown operational shortcomings, especially in the successful execution of ransomware.
Sophos MDR has attributed this threat cluster to targeting India-based organizations with moderate to high confidence. The actors appear to be automating stages of their attacks to exploit a specific group of victims and conduct further data collection activities. Recommendations to mitigate these threats include avoiding exposure of SQL servers to the internet, disabling xp-cmdshell on SQL instances, and using application control to block potentially unwanted applications.
In conclusion, Sophos MDR continues to monitor and block activity associated with STAC6451 to protect organizations from this ongoing threat cluster. The research conducted aims to provide valuable intelligence on this threat for the cybersecurity community.