WordPress Websites Targeted: Hackers Exploit LiteSpeed Cache Flaw
WordPress website owners and administrators should be aware of a recent surge in attacks exploiting a security vulnerability in older versions of the popular LiteSpeed…
DB#JAMMER Campaign Exploiting Vulnerable MS SQL Servers to Disseminate Cobalt Strike and FreeWorld Ransomware
Overview
A concerning campaign known as “DB#JAMMER” has recently emerged, drawing the attention of security researchers. In this evolving threat landscape, hackers are capitalising on insecurely configured Microsoft SQL (MS SQL) servers to execute attacks that deliver both Cobalt Strike and FreeWorld ransomware. Securonix initially identified this campaign, noting its distinctive use of tooling infrastructure and payloads, coupled with remarkable speed in execution. Furthermore, DB#JAMMER’s threat level is assessed as medium to high due to indications that the hackers are targeting more than just MS SQL servers.
Attack Techniques
The hackers’ arsenal includes enumeration tools, credential theft utilities, and ransomware and remote access trojan (RAT) payloads. The initial breach involves brute-force attacks directed at MS SQL servers. Once inside, the attackers enumerate databases and exploit the xp_cmdshell configuration option to gather reconnaissance data and execute shell commands. Subsequently, the hackers disable system firewalls and establish persistence by employing remote SMB shares for file transfers, along with the installation of malicious tools, such as Cobalt Strike. This groundwork lays the foundation for the deployment of AnyDesk software, which, in turn, facilitates the installation of FreeWorld ransomware. Lateral movement is also a part of their strategy, as they attempt to spread malicious software throughout the target network. Of note are the hackers’ unsuccessful attempts to establish Remote Desktop Protocol (RDP) persistence via Ngrok.
Mitigations
To safeguard against the “DB#JAMMER” campaign and similar threats, consider the following recommendations, including those from the Securonix research team:
- Reduce Attack Surface: Minimise the exposure of MSSQL services to the internet to limit attack opportunities.
- Implement Appropriate Defences: In MSSQL environments, restrict the use of xp_cmdshell and implement monitoring of standard malware staging directories, such as “C:\Windows\Temp.” Additionally, deploy process-level logging, including Sysmon and PowerShell logging.
- Strengthen Passwords: Use unique and complex passwords for online-accessible MSSQL databases.
- Leverage Trusted Platforms: Instead of exposing services directly to the internet, consider using a secure access method like a Virtual Private Network (VPN).
- Regularly Patch and Update: Keep operating systems and software up to date to mitigate vulnerabilities.
- Maintain Backups: Maintain offline backups of critical data to ensure a reliable recovery option in case of a security breach.
Conclusion
The success of the malicious “DB#JAMMER” campaign underscores the vital importance of robust password management, especially for publicly exposed services. Strong, unique passwords are a fundamental defence against brute-force attacks on MS SQL servers. By following the recommendations provided by Securonix and adhering to general security best practices, organisations can fortify their defences and better shield themselves against the ever-evolving threat landscape of cyber attacks.
Related articles
Brokewell Malware: A Serious Threat to Android Users
A newly discovered Android malware strain named “Brokewell” poses a significant risk to mobile device users. Disguised as legitimate software updates for popular apps like…
Dropbox Sign Breach Exposes Customer Data
Cloud storage giant Dropbox has recently disclosed a data breach affecting its eSignature service, Dropbox Sign (formerly HelloSign). The incident highlights the ongoing risks businesses…