Hackers are scanning for MySQL servers to deploy GandCrab ransomware

cyber

At least one Chinese hacking crew is currently scanning the internet for Windows servers that are running MySQL databases so they can infect these systems with the GandCrab ransomware.

These attacks are somewhat unique, as cyber-security firms have not seen any threat actor until now that has attacked MySQL servers running on Windows systems to infect them with ransomware.

Andrew Brandt, Principal Researcher at Sophos, and the one who spotted these new attacks in a honeypot’s logs described them as “a serendipitous discovery” in an email to ZDNet.

The researcher published today a blog post on the Sophos website detailing this new scanning activity and its payload.

ATTACKERS TARGET RARE, BUT JUICY, EXPOSED MYSQL DBS

Brandt said hackers would scan for internet-accessible MySQL databases that would accept SQL commands, check if the underlying server would run on Windows, and then use malicious SQL commands to plant a file on the exposed servers, which they’d later execute, infecting the host with the GandCrab ransomware.

While most system administrators typically protect their MySQL servers with passwords, the purpose of these scans appeared to be the opportunistic exploitation of misconfigured or passwordless databases.

According to Brandt, the hackers appeared to have been quite prodigious, while not entirely clear if they were successful.

The Sophos researcher tracked these attacks back to a remote server, which had an open directory running server software called HFS, which exposed download stats for the attacker’s malicious payloads.

GandCrab MySQL campaign
Image: Sophos Labs

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” Brandt said.

“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.

Source: https://www.zdnet.com/article/hackers-are-scanning-for-mysql-servers-to-deploy-gandcrab-ransomware/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Hackers Stole Customers' Credit Cards from 103 Checkers and Rally's Restaurants

If you have swiped your payment card at the popular Checkers and Rally’s drive-through restaurant chains in past 2-3 years, you should immediately request your bank to block your card and notify it if you notice any suspicious transaction. Checkers, one of the largest drive-through restaurant chains in the United […]