Targeted Attacks on Microsoft SQL Deliver Ransomware

Date:

September 6, 2023

World map

Ransomware operators are again targeting exposed Microsoft SQL Server (MSSQL) databases with brute-force credential attacks that seek to deliver Cobalt Strike and ransomware payloads.

"The typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called FreeWorld," DarkReading reports.

“The attackers also establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk; and they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network.”

Researchers noted that the techniques are more advanced than typically seen in ransomware operations, saying that "what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors.”

Takeaway: Today's ransomware attacks highlight the continued blurring of the lines between nation-state supported operations and those of cybercriminal elements, particularly where ransomware attacks are concerned.

Criminal elements have increased capabilities by adopting what were until recently usually only seen in nation-state espionage operations, and nation-state actors like Russia are enjoying some additional level of plausible deniability by making some of their attacks appear to be conducted by cybercriminal syndicates.

One thing these groups have in common is their propensity to hit targets in key critical infrastructure sectors. A wide variety of industries fall under the critical infrastructure umbrella, some with the potential to cause widespread disruptions if successfully targeted by these threat actors.

The US government is in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

Ultimately, it's rogue nations that are providing safe harbor for criminal elements conducting ransomware attacks with impunity - and are very likely influencing some of their targets.

Until the US government directly sanctions these rogue regimes for their direct or tacit support for this onslaught of ransomware attacks, we will not see attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.