Tech Support
Documentation
Login
Contact Us
MSSQL Database Exploitation: Hackers Distribute FreeWorld
Wajahat Raja
September 18, 2023 - TuxCare expert team
In the ever-changing spectrum of cyber threats, poorly secured Microsoft SQL (MSSQL) servers have emerged as key targets for hackers, notably ransomware groups. In a recent wave of MSSQL database exploitation attacks known as DB#JAMMER, fraudsters used brute-force techniques to enter MSSQL servers before putting out a combination of Cobalt Strike and a new form of the Mimic ransomware known as FreeWorld ransomware attack.
The Intricate Attack Strategy – Access and Persistence
The attackers initiated their scheme, ransomware, targeting MSSQL by using brute-force approaches to guess MSSQL server credentials. It’s unclear whether they used dictionary-based approaches or password spraying, which entails utilizing login and password combinations gathered from earlier database hacks.
When it comes to MSSQL database exploitation, it has been revealed that hackers exploit databases by following a pipeline. The hackers meticulously examined the database after gaining first access, enumerating all users with access privileges. They also looked for the presence of a function known as xp_cmdshell. This Transact-SQL statement allows database administrators to run shell commands in the Windows environment and obtain the results as text. The attackers made considerable use of xp_cmdshell. They began by launching Windows applications such as wmic.exe, net.exe, and ipconfig.exe to acquire system and network information. They then used it to alter Windows accounts and the system registry.
Surprisingly, the attackers added three new users to the victim’s host: ‘Windows,’ ‘adminv$,’ and ‘mediaadmin$.’ Each of these users was added to the ‘administrators’ and ‘remote desktop users’ groups. Intriguingly, the attackers created these accounts and modified group memberships using a massive one-liner command that was tailored to several languages, including English, German, Polish, Spanish, and Catalan.
Further changes were made to ensure that the passwords and logged-in sessions of the new users would never expire. The registry was extensively modified, including enabling the Remote Desktop Protocol (RDP) service, disabling User Access Control limitations, and hiding remote logged-in users from the local login screen. These database security breach procedures were designed to provide the attackers with remote control over the system in a more subtle and difficult-to-detect manner than using database xp_cmdshell commands.
However, the hackers encountered a stumbling block: the network firewall banned incoming RDP connections. To get around this, they attempted to implement Ngrok, a reverse proxy and tunneling solution.
Malicious Payloads
The attackers created a remote SMB share to a server they controlled, allowing them to mount a directory containing their tools and payloads locally. This repository contained a Cobalt Strike command-and-control agent saved as ‘srv.exe’ as well as a version of AnyDesk remote desktop software.
They also used a network port scanner and the Mimikatz credential dumping tools to try to navigate the network. When the attackers determined that the machine was totally penetrated, they dropped a file called ‘5000.exe,’ which was a dropper for a ransomware program called FreeWorld. In actuality, FreeWorld is an updated version of the well-known Mimic ransomware.
Mimic and FreeWorld both use a companion application called ‘Everything.exe’ to locate files for encryption. The encrypted files have a ‘.FreeWorldEncryption’ extension, and the ransomware includes a ‘FreeWorld-Contact.txt’ file with instructions on how to pay the ransom.
Defensive Measures Against MSSQL Database Exploitation
According to a Trustwave investigation, MSSQL is the most targeted relational database management system. The majority of attacks use brute-force password-guessing techniques, emphasizing the significance of using unique and complicated passwords for MSSQL databases that are accessible via the internet.
MSSQL Security Best Practices
For preventing MSSQL vulnerabilities, it is also critical to limit the use of the xp_cmdshell method on systems. Without it, attackers would have a far more difficult time getting remote code execution on target systems.
Consider using VPN tunnels for protecting MSSQL servers rather than exposing them directly to the internet to increase security. It is recommended that common malware staging directories such as ‘C:WindowsTemp’ be monitored on a regular basis. Process-level monitoring, like Sysmon and PowerShell logging, can also help to strengthen your defenses against these ransomware distribution methods.
Conclusion
As cyber threats grow, it is critical for organizations to be aware of and implement strong security measures for MSSQL database security. You can strengthen your defenses against attackers looking to exploit flaws in your database architecture by using secure passwords, minimizing dangerous procedures, and adopting effective monitoring. This will reduce downtime and guarantee compliance. On top of that, you should also learn how to recover from ransomware, as it can help ensure business continuity in the face of growing threats such as FreeWorld ransomware.
The sources for this piece include articles in Cybersecurity News and CSO.
