Poorly secured Microsoft SQL (MSSQL) servers have turn out to be a favourite goal for a lot of teams of attackers together with ransomware gangs. In a latest assault marketing campaign dubbed DB#JAMMER hackers used brute-force assaults to compromise MSSQL servers and deploy Cobalt Strike and a variant of the Mimic ransomware known as FreeWorld.
“One of many issues that makes DB#JAMMER standout is how the attacker’s tooling infrastructure and payloads are used,” researchers from safety agency Securonix mentioned in a brand new report. “A few of these instruments embody enumeration software program, RAT payloads, exploitation and credential stealing software program, and eventually ransomware payloads.”
Preliminary entry to MSSQL servers and attaining persistence
The attackers use brute-force strategies to guess credentials for the focused MSSQL servers, but it surely’s not clear if this concerned dictionary-based or password spray makes an attempt. The latter normally includes username and password combos obtained from different database leaks.
Following the preliminary entry, the attackers investigated the database by enumerating all customers with entry to it and checked if a operate known as xp_cmdshell was enabled. This Transact-SQL assertion permits database customers to execute shell instructions in Home windows and return the output as textual content. The attackers leveraged xp_cmdshell extensively, first to assemble details about the system and the community surroundings by invoking Home windows instruments like wmic.exe, web.exe and ipconfig.exe, then to make modifications to Home windows accounts and the system registry.
“Three new customers have been created on the sufferer host which embody home windows, adminv$, and mediaadmin$,” the Securonix researchers mentioned. “Every person was added to the ‘distant desktop customers’ and ‘directors’ [groups]. Apparently sufficient the attackers tried to execute a big one-liner, which might create the customers and modify group membership. Nevertheless, a number of variations of the command have been executed to account for teams in numerous languages: [English, German, Polish, Spanish, and Catalan].”
Additional modifications have been made to the brand new customers so their passwords and logged in classes would by no means expire. The adjustments to the registry have been additionally in depth and included enabling the Distant Desktop Protocol (RDP) service, disabling Consumer Entry Management restrictions, and hiding distant logged in customers from the native login display screen.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24890073/1584249148.jpg "Taylor Swift’s Eras Tour movie broke presale records in less than three hours")
