Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MS SQL servers. Show all posts

Cyber Criminals Exploiting MS-SQL Severs To Deploy Mallox Ransomware

 

The MS-SQL (Microsoft SQL) honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware (also known as Fargo, TargetCompany, Mawahelper, etc.). 

The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting multiple MS-SQL vulnerabilities. 

Upon analysing Mallox samples, the researchers detected two different affiliates that had different goals: one was more interested in taking advantage of vulnerabilities in the system, while the other sought larger-scale breaches of information systems. 

The "sa" account (SQL Administrator) was the target of the initial brute-force attack that gained access to the MS-SQL server. The attack was successful within an hour of its deployment. Throughout the monitoring period, the attacker continued to use brute-forcing, displaying an intense effort. 

There were attempts at exploitation, and certain trends were found. The attacker used a number of strategies, including enabling specific options, building assemblies, and using Ole Automation Procedures and xp_cmdshell to execute commands. The payloads linked to a.NET loader called PureCrypter, which in turn launched the Mallox ransomware. A threat actor going by the identity PureCoder sells PureCrypter as Malware-as-a-Service. It uses a number of evasion strategies to evade detection and analysis. 

Active since at least June 2021, the Mallox group is a malware-as-a-Service organisation that spreads malware bearing the same name. The gang employs a dual extortion tactic, both by encrypting stolen material and threatening to reveal it. The research also emphasises the role of affiliates in the Mallox network, focusing on users with unique tactics and ransom demands including Maestro, Vampire, and Hiervos. 

Additionally, the research casts suspicion on AS208091, the hosting provider Xhost Internet, which has previously been linked to ransomware activities. 

“While formal links with cybercrime-related activities remain unproven, the involvement of this AS previous instances of ransomware compromise and the longevity of the IP address monitoring is intriguing,” reads the blog post . “Sekoia.io analysts will continue to monitor activities associated with this AS and to investigate the related operations.”

Threat Actors Exploits SQL Servers to Deploy FreeWorld Ransomware


Threat actors are exploiting vulnerable Microsoft SQL servers, deploying Cobalt Strike and a ransomware strain named FreeWorld. 

According to cybersecurity firm Securonix, the campaign is notable for the way its infrastructure and toolkit are used. The firm has named the campaign DB#JAMMER.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads[…]The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," says security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a technical breakdown of the activity.

The attackers first gain access to the victim host by brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance.

Next, they take certain steps to disable system firewall in order to develop persistence and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the targeted system.

This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.

The researchers concluded, "The attack initially succeeded as a result of a brute force attack against a MS SQL server[…]It's important to emphasize the importance of strong passwords, especially on publicly exposed services"

According to figures released by Coveware in July 2023, the year has seen a record-breaking increase in ransomware assaults following a calm in 2022, even if the proportion of instances that ended in the victim paying has decreased to a record-low of 34%. 

The reports also noted that on an average, the in hand amount paid as ransom in a ransomware has hit a whopping $740,144, 126% from Q1 2023. 

Moreover, fluctuations in monetization rates have synchronized well with the developments in extortion tradecraft executed by ransomware threat actors, disclosing specifics of their attack methods to demonstrate why the victims are ineligible for a cyber insurance claim. 

"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.