Poorly secured Microsoft SQL (MSSQL) servers have become a favorite target for many groups of attackers including ransomware gangs. In a recent attack campaign dubbed DB#JAMMER hackers used brute-force attacks to compromise MSSQL servers and deploy Cobalt Strike and a variant of the Mimic ransomware called FreeWorld.
“One of the things that makes DB#JAMMER standout is how the attacker’s tooling infrastructure and payloads are used,” researchers from security firm Securonix said in a new report. “Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads.”
Initial access to MSSQL servers and achieving persistence
The attackers use brute-force techniques to guess credentials for the targeted MSSQL servers, but it’s not clear if this involved dictionary-based or password spray attempts. The latter usually involves username and password combinations obtained from other database leaks.
Following the initial access, the attackers investigated the database by enumerating all users with access to it and checked if a function called xp_cmdshell was enabled. This Transact-SQL statement allows database users to execute shell commands in Windows and return the output as text. The attackers leveraged xp_cmdshell extensively, first to gather information about the system and the network environment by invoking Windows tools like wmic.exe, net.exe and ipconfig.exe, then to make modifications to Windows accounts and the system registry.
“Three new users were created on the victim host which include windows, adminv$, and mediaadmin$,” the Securonix researchers said. “Each user was added to the ‘remote desktop users’ and ‘administrators’ [groups]. Interestingly enough the attackers attempted to execute a large one-liner, which would create the users and modify group membership. However, several variations of the command were executed to account for groups in different languages: [English, German, Polish, Spanish, and Catalan].”
Further modifications were made to the new users so their passwords and logged in sessions would never expire. The changes to the registry were also extensive and included enabling the Remote Desktop Protocol (RDP) service, disabling User Access Control restrictions, and hiding remote logged in users from the local login screen.
The goal of all this was to provide attackers with the ability to remotely control the system through a method that’s more reliable and harder to detect than database xp_cmdshell commands. However, one problem they encountered was that incoming RDP connections were blocked by the network firewall, so they attempted to deploy a reverse proxy and tunneling solution called Ngrok.
Malicious payloads include Cobalt Strike command-and-control agent
The attackers also set up a remote SMB share to a server under their control to locally mount a directory that contained many of their tools and payloads. This included a Cobalt Strike command-and-control agent saved as srv.exe and a version of the remote desktop software AnyDesk.
A network port scanner and the Mimikatz credential dumping tools were also deployed to attempt lateral movement to other systems on the network. Finally, when the attackers considered the system fully under their control, they deployed a file called 5000.exe that was a dropper for a ransomware program the attackers call FreeWorld, but it is actually a newer variant of the known Mimic ransomware.
Both Mimic and FreeWorld use an accompanying application called Everything.exe that’s used to locate files to be encrypted. The encrypted files are stored with a .FreeWorldEncryption extension and the ransomware drops a file with instructions on how to pay the ransom called FreeWorld-Contact.txt.
Defenses for MSSQL-based attacks
According to a report in July by security firm Trustwave, MSSQL is by far the most targeted relational database management system and most of the attacks employ brute-force password guessing techniques. This means that having unique and complex passwords for MSSQL databases exposed to the internet is critical. As also highlighted in this attack, the xp_cmdshell procedure can pose a serious risk and should be limited on systems as much as possible. Without it, attackers would have had a much harder time to gain remote code execution on the systems.
The Securonix researchers also advise using VPN tunnels when possible to access MSSQL servers instead of exposing them directly to the internet, monitoring common malware staging directories like “C:\Windows\Temp”, and deploy process-level logging such as Sysmon and PowerShell logging.