Mayakshi
Learning Centre for Cyber Security & Privacy Professionals
Helga Labus, Managing Editor, Help Net Security
6 Sept 2023
Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total.
MS SQL servers are an attractive target for cybercriminals because they are widely used and they often store valuable data.
Attackers also find them useful because they can make them part of a cryptomining botnet or use them as a proxy server.
The attackers target exposed MS SQL servers by brute-forcing access credentials. After having successfully authenticated, they start enumerating the database. A (too often) enabled xp_cmdshell function also allows attackers to run shell commands on the host and launch several payloads.
Attackers then:
Create new users on the victim host
Make registry changes to ensure successful connection
Disable the system’s firewall
They connect to a remote SMB share that allowed them to install additional tools, including a Cobalt Strike command and control payload and the AnyDesk remote access tool (RAT).
They also download an advanced port scanner to help them discover avenues for lateral movement and Mimikatz to enable credential dumping.
“Commands were executed in rapid succession indicating that they were likely copying them from a tool list or document on their end,” the Securonix researchers said.
Finally, they deploy the FreeWorld ransomware, which is a variant of Mimic ransomware. “It follows many similar TTPs in order to carry out its goals. Both variants appear to abuse the legitimate application Everything to query and locate target files to be encrypted,” they added.
The encrypted files get the “.FreeWorldEncryption” extension and, once the ransomware has finished encrypting, the ransom note with instructions on how to pay to get the files decrypted is shown.
To keep MS SQL servers safe, admins should:
Limit the use of the xp_cmdshell stored procedure
Allow access to the server only via VPN
Monitor common malware staging directories
Extend logging to improve detection coverage