Ransomware Operators Automate Exploitation of Insecure MS- SQL Servers


May 1, 2023

World map

Researchers have identified ransomware campaigns leveraging automated scans to identify inadequately secured MS-SQL servers that are in-turn abused to deliver Trigona ransomware.

“Researchers... observed the threat actors scanning for internet-exposed Microsoft SQL servers and then trying to access them either via brute-force or dictionary attacks. These attacks work if the servers have simple, easy-to-guess passwords, and by automating the login process, the hackers can breach numerous servers with ease,” Tech Radar reports.

“Once they gain access to the endpoint, the attackers will first install a piece of malware the researchers named CLR Shell. This malware picks up system information, changes the compromised account’s configuration, and escalates privileges to LocalSystem through a vulnerability in the Windows Secondary Logon Service.”

Takeaway: March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

One of the reasons for this spike in ransomware attacks is the fact that threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions.  

Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations, which is the name of the game for these threat actors.

For example, hundreds of organizations have been hit in the last few weeks by the Cl0p ransomware gang as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

Then just last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, encryption speed, stealthy DLL side-loading, and advanced security evasion.

Then again just this week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network takes time, so automating aspects of the attack sequence allows threat actors to compromise targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect, but many of these techniques can only be leveraged if the target has left themselves open to the attack. Simple things like not using weak or default passwords, which helps prevent brute-force or dictionary attacks.

Timely patching of vulnerabilities – both old and new - is another big one all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening into the target network they can find.  

If it’s so easy for attackers to automate discovery of these vulnerable systems, there is really no excuse for an organization to be caught off guard and victimized.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.