In a recent investigation by cybersecurity firm Securonix, a highly sophisticated cyberattack campaign targeting Microsoft SQL Server (MSSQL) databases has been uncovered. The attack campaign, named “DB#JAMMER,” involves a series of steps that ultimately result in the deployment of ransomware and other malicious payloads.
### The Attack Sequence
The typical attack sequence observed in this campaign begins with the attackers brute-forcing their way into exposed MSSQL databases. Once inside, they expand their access within the target system and utilize MSSQL as a launching pad for various payloads. These payloads include remote-access Trojans (RATs) and a new ransomware variant called “FreeWorld.” The ransomware stands out due to the word “FreeWorld” being present in file names, ransom instructions, and the ransomware extension, which is “.FreeWorldEncryption.”
Throughout the attack, the threat actors establish a remote SMB share to store their tools, which range from a Cobalt Strike command-and-control agent (srv.exe) to AnyDesk. They also employ a network port scanner and Mimikatz, a tool used for credential dumping and lateral movement within the network. Additionally, the attackers make configuration changes, such as user creation and modification, as well as registry modifications, to circumvent defenses and maintain their access.
### The Level of Sophistication and Ongoing Threat
Securonix researchers describe the DB#JAMMER campaign as exhibiting a high level of sophistication. The attackers demonstrate a depth of knowledge in terms of tooling infrastructure and the rapid execution of their attacks. The usage of enumeration software, RAT payloads, exploitation software, credential stealing tools, and ransomware payloads sets this attack sequence apart from others.
According to Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity for Securonix, the campaign is still ongoing but appears to be relatively targeted at its current stage. However, there are indications that the infiltration vectors used by the attackers go beyond MSSQL, suggesting a broader threat landscape.
### The Growing Risk of Ransomware Attacks
The discovery of this latest cyberattack campaign is particularly concerning as ransomware attacks continue to rise and threaten organizations worldwide. Attackers are becoming more aggressive, aiming to inflict widespread damage before defenders can detect and respond to infections. It is crucial for organizations to remain vigilant and take proactive steps to secure their MSSQL servers.
### Recommendations for MSSQL Security
To reduce the attack surface associated with MSSQL services, enterprises are advised to limit their exposure to the internet. This can be achieved by restricting external connections to MSSQL database servers whenever possible. Weak account credentials and external connections to MSSQL servers have been recurring vulnerabilities exploited by threat actors.
Another critical step is for security teams to understand and implement defenses specific to the attack progression and behaviors leveraged by malicious threat actors. This includes restricting the use of xp_cmdshell as part of the standard operating procedures. Monitoring common malware staging directories, such as “C:\Windows\Temp,” and deploying additional process-level logging, such as Sysmon and PowerShell logging, are also recommended for enhanced detection coverage.
### Alarming Increase in SQL Server Attacks
The discovery of the DB#JAMMER campaign aligns with another alarming trend – the surge in attacks targeting vulnerable SQL servers. According to a report from Palo Alto’s Unit 42, malicious activity against vulnerable SQL servers has increased by a staggering 174% compared to the previous year (2022). This highlights the urgent need for organizations to prioritize the security of their MSSQL databases and fortify their defenses.
The DB#JAMMER campaign serves as a stark reminder of the ever-increasing cybersecurity threats facing businesses today. As attackers become more sophisticated, organizations must remain vigilant, employ robust security measures, and stay up-to-date with the latest best practices to safeguard their critical data and systems. Failure to do so can lead to significant financial losses, operational disruptions, and reputational damage.
<< photo by Dan Nelson >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Ethical Implications of U.S. AI Chip Export Policies: Examining the Government’s Role
- The Rise of Car Hackers: The High-Stakes Competition Offering $1M
- The Rise and Fall of Key Group Ransomware: A New Decryptor Saves the Day
- The Emergence of CosmicEnergy Malware and the Threats to the Electric Power Grid
- Exploring the Threat of CosmicEnergy ICS Malware: How Russia-Linked Malware Could Cause Chaos in the Electric Grid
- Uncovering the Secrets: Linking Mysterious Malware to Russia’s Industrial Cyber Espionage
- The Shifting Landscape of Cyber Threats: Unveiling the Modified Open Source ‘SapphireStealer’ Information Stealer
- Cybersecurity Crisis Unleashed: Lessons Learned from Paramount and Forever 21 Data Breaches
- Should Businesses Prepare for Follow-On Attacks After Paramount and Forever 21 Data Breaches?
- Cisco’s Strategic Advancements in Tackling the Evolving Threat Landscape
- Exploring the Threat Landscape: HR-Related Emails Dominate as Top Malicious Subjects
- Truebot Malware: An Escalating Threat Landscape
