Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MS-SQL servers. Show all posts

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Cybercriminals are taking advantage of vulnerable Microsoft SQL (MS SQL) servers to distribute both Cobalt Strike and a ransomware variant known as FreeWorld. This campaign, named DB#JAMMER by cybersecurity firm Securonix, is notable for its unique use of tools and infrastructure. 

The name "FreeWorld" is given to this ransomware because it has certain unique characteristics. For example, the files it encrypts have names that include the word "FreeWorld." Additionally, when it locks your files, it leaves behind a file with instructions for paying the ransom, and this file is named FreeWorld-Contact.txt. Lastly, the encrypted files get a special ending called ".FreeWorldEncryption." 

Securonix's investigation reveals that the campaign typically starts with attackers brute-forcing access to exposed MSSQL databases. Once inside, they expand their control over the target system, using MSSQL as a launching point for various malicious payloads. These payloads include remote-access Trojans (RATs). 

"Some of these tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. 

As a result, they gain control over the infected computer and can access shared files and deploy harmful tools like Cobalt Strike. This sets the stage for installing AnyDesk software, which is used to spread the FreeWorld ransomware. Sometimes, the attackers also try to establish persistence using Ngrok for remote desktop access. 

"The attack initially succeeded as a result of a brute force attack against a MS SQL server. It is important to emphasize the importance of strong passwords, especially on publicly exposed services," the researchers added. Vulnerable SQL servers remain a prime target for attackers. 

As seen in recent reports, Palo Alto Network's Unit 42 noted a substantial 174% increase in ransomware attacks by the TargetCompany group, with a specific focus on exploiting vulnerable SQL servers worldwide. In a separate incident, actors associated with the Trigona ransomware targeted poorly configured MS SQL servers to execute their ransomware attacks.

CERT-In Warns Against Mallox Ransomware Targeting Unsecured MS SQL Servers


Indian government’s nodal agency, CERT-In has issued warning about the Mallox ransomware that is exploiting MS-SQL servers through dictionary attacks.

By using dictionary attack method, the ransomware acquire unauthorized access to victims’ networks, finally succeeding in server compromise and data breaches.

The CERT-In alert states, “It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victim's ICT infrastructures to distribute the ransomware” “It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victim's network infrastructure.”

Apparently, Mallox ransomware uses double extortion techniques, through which it steals sensitive data before encrypting a company’s files. The threat actor then proceeds to threaten victims to leak the stolen data on leak sites if ransom demands are not fulfilled. 

Thus, it has become necessary for companies and individuals to take security measures actively in order to safeguard their MS-SQL servers from these attacks and prevent falling prey to the Mallox ransomware.

More About the Mallox Ransomware

A study by the Unit 42 researchers claims that compared to last year, Mallox ransomware activity has increased by 174%. Strong action is required to counter the threat as a result of the increase in attacks.

The hackers responsible for Mallox have discovered a way to use unprotected MS-SQL servers as a gateway into their victims' networks, expanding their scope and the potential harm they might cause.

Moreover, the ransomware group utilizes several tools, one of them being a network scanner and data exfiltration techniques in order to cover traces of their illicit infiltration and evade security obstacles.

Once the Mallox Ransomware gains access to a target network, it attacks with lethal accuracy. Using the command line and PowerShell, the ransomware payload is downloaded from a remote server, preparing the environment for the malicious encryption procedure. Additionally, it tries to delete volume shadows, which presents a formidable barrier for the affected organization when trying to restore files.

Mallox takes additional deliberate steps to avoid detection and obstruct the forensic investigation. Application, security, setup, and system event logs are cleared by the ransomware, leaving minimal evidence of its operations.

Also, it changes file permissions, blocks users from accessing essential system functions, and shuts down security-related services.

Recommendations by CERT-In 

CERT-In shares a list of strategies that will help organizations mitigate the risk of Mallox ransomware and shares steps to secure their Microsoft SQL Server. 

  • Avoid exposing SQL Servers on the Internet’s default port (1433). Adopt secure connections like VPNs instead.
  • Disable or strengthen the SA account to minimize the risk of unauthorized access. 
  • Audit SQL CLR Assemblies and remove any unwanted ones. 
  • Implementing a firewall, allowing incoming traffic only from trusted networks and IP addresses. 
  • Keep SQL Server up to date with the latest patches and updates. 
  • Enforce the use of strong and unique passwords for all SQL logins. 
  • Configure account lockout policies to counter brute force attacks. 
  • Encrypt data in transit using SSL/TLS to protect against eavesdropping. 
  • Monitor SQL Server activity through auditing to detect and respond to threats promptly.