therecord.media
Open in
urlscan Pro
2606:4700:4400::6812:20b5
Public Scan
URL:
https://therecord.media/microsoft-sql-databases-attacked-ransomware-hackers
Submission: On September 04 via api from TR — Scanned from DE
Submission: On September 04 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe Jonathan GreigSeptember 1st, 2023 * Cybercrime * News * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. RANSOMWARE ATTACKERS ARE TARGETING EXPOSED MICROSOFT SQL DATABASES, REPORT SAYS Ransomware campaigns are using internet-exposed Microsoft SQL databases as a beachhead to launch attacks on victim systems, according to researchers. Cybersecurity company Securonix said that it found examples of hackers exploiting Microsoft SQL (MSSQL) — a popular software product that helps users store and retrieve data requested by applications. Microsoft’s version is one of several database managers that use SQL, short for structured query language. Oleg Kolesnikov, vice president of threat research at Securonix, told Recorded Future News that the typical attack sequence begins with hackers trying to gain access to exposed Microsoft SQL databases through brute forcing — a hacking method that uses trial and error to crack passwords. Securonix researchers said it was unclear if the hackers are “using a dictionary-based, or random password spray attempts.” Once a database’s password is cracked, “the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch a number of different payloads,” including remote access trojan (RAT) malware and ransomware, Kolesnikov said. “This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” he said. After the hackers break in, they use a variety of tools to map out the network, steal credentials and eventually deploy ransomware. Securonix did not attribute the attacks to any known group but found that the hackers deployed ransomware called FreeWorld, a new variant of the Mimic ransomware. Mimic was spotlighted earlier this year by researchers at TrendMicro after first being seen in the wild in June 2022. It targets Russian- and English-speaking users and TrendMicro said there are indicators tying it to the Conti ransomware builder that was leaked last year. “Given how quickly the attackers got to work, this attack appears to be quite sophisticated from tooling to infrastructure,” Securonix researchers said. USING LEGITIMATE IT TOOLS The hackers painstakingly disable the system’s defenses before creating administrator accounts that provide them with widespread access. In the case examined by Securonix, the threat actors tried a number of different methods in order to exfiltrate data and import the tools needed to gain further persistence in the victim systems. Several tools were blocked by the victim’s firewall, but the hackers eventually succeeded with the AnyDesk remote access software — a legitimate IT tool increasingly popular among threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) warned earlier this year that malicious hackers are deploying commercial remote monitoring and management (RMM) software. “Upon execution, the ransomware began encrypting the victim host and generated encrypted files using the ‘.FreeWorldEncryption’ extension. Once it has run through its course, it will create a text file named ‘FreeWorld-Contact.txt’ with instructions as to how to pay the ransom,” the Securonix report said. The company said organizations using Microsoft SQL databases should not expose them to the internet — advice that CISA has been pushing more fervently in recent months. The agency said in June that it is now working with federal agencies to remove network management tools from the public-facing internet after researchers discovered hundreds were still publicly exposed. * * * * * Tags * Database * Microsoft * Hack JONATHAN GREIG Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. Previous articleNext article Golf club maker Callaway says 1 million affected by data breach Nearly 540,000 people have SSNs leaked after cyberattack on retailer Forever 21 BRIEFS * Pennsylvania school district to stay open despite ransomware attackSeptember 1st, 2023 * Golf club maker Callaway says 1 million affected by data breachSeptember 1st, 2023 * Paramount confirms data breach after cyberattackAugust 31st, 2023 * NSA insider to succeed George Barnes as agency’s deputy directorAugust 31st, 2023 * Internet access in Gabon restored after post-election coupAugust 30th, 2023 * China-linked hackers spy on Android users through fake messenger appsAugust 30th, 2023 * Network technology giant Juniper warns users about denial-of-service bugsAugust 30th, 2023 * Netgear releases patches for two high-severity vulnerabilitiesAugust 30th, 2023 * Japan’s cybersecurity agency breached by suspected Chinese hackers: reportAugust 29th, 2023 EMPIRE DRAGON ACCELERATES COVERT INFORMATION OPERATIONS, CONVERGES WITH RUSSIAN NARRATIVES Empire Dragon Accelerates Covert Information Operations, Converges with Russian Narratives CONVERGING NARRATIVES ON HAWAII WILDFIRES ADVANCE DIFFERENT INFLUENCERS’ OBJECTIVES Converging Narratives on Hawaii Wildfires Advance Different Influencers’ Objectives MALIGN NARRATIVES OPPOSE “THE VOICE” AHEAD OF AUSTRALIA’S REFERENDUM Malign Narratives Oppose “the Voice” Ahead of Australia’s Referendum H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN SECURITY DEFENSES Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News