Threat actors are increasingly targeting inadequately secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a specific ransomware variant known as FreeWorld. This concerning trend has been highlighted by cybersecurity firm Securonix, which has labeled the ongoing operation as DB#JAMMER. This campaign is notable for its sophisticated use of tools and infrastructure, marking a significant escalation in ransomware deployment tactics.
The research team, comprising Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, elaborated on the tools utilized in this attack, which include enumeration software, remote access Trojan (RAT) payloads, exploitation and credential-stealing applications, culminating in the use of ransomware payloads. According to the analysts, the ransomware of choice appears to be a newer variant of Mimic ransomware, specifically dubbed FreeWorld.
Initial access into target systems is typically achieved through brute-force attacks against MS SQL servers. By exploiting this entry point, attackers can enumerate the database and employ the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance. Notably, this tactic aligns with the Initial Access and Execution techniques outlined in the MITRE ATT&CK framework.
Once inside the system, the attack further complicates defenses through efforts aimed at impairing the system firewall and establishing persistence. Attackers achieve this by connecting to remote SMB shares to facilitate file transfers, as well as deploying malicious tools like Cobalt Strike. This process ultimately enables the distribution of AnyDesk software to facilitate the delivery of FreeWorld ransomware, although an unsuccessful attempt was also reported concerning the establishment of RDP persistence via Ngrok.
The researchers emphasized the underlying issue of weak password policies, noting that the success of these attacks can often be traced back to insecure credentials on publicly exposed services. The implications of such attacks extend far beyond the immediate threats, highlighting the urgent need for robust password protocols and security measures.
This incident is not isolated. Previous reports have indicated that mismanaged MS SQL servers have frequently become targets for various malware deployment campaigns. For instance, the AhnLab Security Emergency Response Center recently documented a fresh wave of attacks utilizing malware such as LoveMiner and projacking software via compromised servers.
The increasing prevalence of these cyber threats has coincided with a notable rise in ransomware incidents overall. Statistics from July 2023 show that the number of attacks has soared, even as the proportion of victims who ultimately paid ransoms dropped to a record low of 34%. Nonetheless, the average ransom payment has surged to approximately $740,144, reflecting a daunting trend for businesses facing such cyber extortion threats.
In addition to the growing ransom demands, attackers have begun evolving their tactics, employing sophisticated methods to undermine victims’ claims for insurance payouts. For example, some ransomware groups, such as Snatch, have publicly stated their intent to showcase attack details against non-paying victims, potentially influencing insurance company decisions and reinforcing the need for businesses to bolster their cybersecurity frameworks.
As the landscape of cybercrime continues to evolve, it is critical for those in managerial and technical roles to remain vigilant and proactive concerning the security of their infrastructures. Strengthening password policies, employing multi-factor authentication, and regularly auditing database services are essential steps in securing against the threats posed by these advanced tactics. In light of these developments, organizations must prioritize a comprehensive approach to cybersecurity, utilizing frameworks like MITRE ATT&CK to understand and mitigate risks associated with such malicious activities.
