Chinese Cybercrime Group Targets Database Servers Globally
Recent investigations by security firm GuardiCore Labs have uncovered a series of extensive cyber-attack campaigns spearheaded by a prominent Chinese criminal organization. These attacks, which utilize multiple innovative techniques, are primarily aimed at database servers for the illicit purposes of mining cryptocurrencies, extracting sensitive information, and establishing DDoS botnets.
Through the analysis of thousands of attacks observed over recent months, researchers have identified at least three notable attack variants: Hex, Hanako, and Taylor. Each of these variants focuses on exploiting vulnerabilities within Microsoft SQL and MySQL servers running on both Windows and Linux environments. The targets of these attacks predominantly include systems located in China, with additional victims situated in countries such as Thailand, the United States, and Japan.
The Hex variant is particularly alarming as it deploys cryptocurrency miners and remote access trojans (RATs) on compromised machines, allowing attackers ongoing access and control. In contrast, Taylor focuses on installing keyloggers and backdoors, while Hanako creates a network of infected devices to orchestrate DDoS attacks.
To gain unauthorized entry into database servers, the attackers execute brute force methods followed by a predefined sequence of SQL commands, enabling them to maintain persistent access while evading detection. This modular approach to their attack infrastructure, utilizing already compromised systems, effectively hampers efforts to dismantle their operations.
It is noteworthy that all three attack variants create backdoor accounts within the database systems and enable Remote Desktop Protocol (RDP) access. This provides the attackers with a means to remotely install various malicious payloads, including cryptocurrency miners or RATs. In a systematic maneuver, attackers can disable security software by executing shell commands—an indication of their intent to cover their tracks using batch files and Visual Basic scripts to eliminate evidence from Windows registries and file systems.
Potential tactics and techniques exhibited in these attacks align with various categories outlined in the MITRE ATT&CK framework. Initial access methods likely involve credential dumping and brute force attacks, while persistence is achieved through the establishment of backdoor users. Techniques such as privilege escalation and defense evasion are also evident, emphasizing the need for robust security measures.
For organizations seeking to protect against these types of incursions, it is essential to proactively monitor for specific compromised usernames associated with these attacks, including ‘hanako’ and ‘Guest.’ Furthermore, adhering to comprehensive database hardening guidelines, as provided by MySQL and Microsoft, can bolster defenses significantly.
While preventative measures may seem straightforward, the complexities of real-world networks often complicate security efforts. Business owners are strongly advised to maintain a rigorous review process concerning which machines can access their databases, keeping this list minimal and blocking any suspicious connection attempts from external sources. Overall, an understanding of the evolving tactics employed by cybercriminals is crucial in minimizing risk exposure in today’s digital landscape.