Microsoft SQL servers under attack, used to deploy FreeWorld ransomware
Take action: Securing MSSQL is not a new topic, so just be diligent: (1) Don't expose MSSQL to the internet; (2) Use complex account credentials and disable default account; (3) restrict the use of xp_cmdshell.
Learn More
A cyberattack campaign targeting exposed Microsoft SQL Server (MSSQL) databases has been uncovered, employing brute-force tactics to deliver ransomware.
The campaign, referred to as "DB#JAMMER" by security firm Securonix, begins with attackers using brute-force password guessing to access to exposed MSSQL databases. Once inside, they use MSSQL as a platform to enumerate the network, move laterally to other systems and to deploy various payloads, including a new Mimic ransomware variant named "FreeWorld." This variant is distinguished by the inclusion of "FreeWorld" in file names, a ransom instruction file (FreeWorld-Contact.txt), and the ".FreeWorldEncryption" extension.
The attackers also establish a remote SMB share to host their tools, which encompass a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk. They utilize a network port scanner and Mimikatz tool for credential theft and lateral movement within the network, and they make configuration changes such as user creation and modification and registry alterations to bypass defenses.
Security researchers have characterized this campaign as exhibiting a "high level of sophistication" due to the extensive tooling and infrastructure employed by the threat actors. Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity at Securonix, notes that this campaign is still ongoing and appears to be relatively targeted in its current stage.
