MSSQL Databases Under Fire From FreeWorld Ransomware

A cyberattack campaign, identified as “DB#JAMMER,” has been uncovered, targeting exposed Microsoft SQL Server (MSSQL) databases through the use of brute-force attacks. This sophisticated campaign deploys ransomware and Cobalt Strike payloads, demonstrating a high level of sophistication in its execution.

The typical sequence of this attack, as detailed by Securonix’s investigation, commences with the attackers brute-forcing their way into vulnerable MSSQL databases. Once initial access is gained, the assailants broaden their control within the target system. They leverage MSSQL as a launching pad to deploy various payloads, including remote-access Trojans (RATs) and a newly identified Mimic ransomware variant dubbed “FreeWorld.” This name is derived from the inclusion of “FreeWorld” in binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the use of “.FreeWorldEncryption” as the ransomware extension.

To further their objectives, the attackers establish a remote SMB share for mounting a directory housing their toolkit. This toolkit encompasses a Cobalt Strike command-and-control agent (srv.exe), AnyDesk, a network port scanner, and Mimikatz for credential extraction and lateral movement within the network. Additionally, the threat actors execute configuration changes, ranging from user creation and modification to registry alterations, all aimed at impairing the target’s defenses.

The level of sophistication demonstrated in the “DB#JAMMER” campaign is notable, both in terms of the attacker’s adept use of tools and payloads and the speed with which they execute their operations, as observed by Securonix’s research team.

Securonix researchers highlighted the presence of various tools in this campaign, encompassing enumeration software, RAT payloads, exploitation and credential theft tools, as well as ransomware payloads. Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity at Securonix, emphasized the exceptional nature of this attack sequence, noting the extensive tooling and infrastructure employed by the threat actors.

Kolesnikov underlined that the campaign remains ongoing, but he characterized it as relatively targeted in its current phase. He assessed the risk level as medium to high, citing indications that the attackers’ infiltration vectors extend beyond MSSQL.

This discovery comes at a time when ransomware incidents are poised to impact more organizations in 2023, with attackers rapidly escalating their attacks to cause widespread damage before detection by defenders.

To bolster security concerning MSSQL services, Kolesnikov advises enterprises to reduce their attack surface by limiting internet exposure. He also highlights the vulnerability associated with external connections and weak account credentials in MSSQL database servers, which are often targeted by threat actors. For instance, AhnLab researchers observed multiple threat actors compromising credentials for a breached MSSQL server, leaving traces of various ransomware strains, Remcos RAT, and coinminers.

“Additionally, security teams must understand and implement defenses related to the attack progression and the behaviors leveraged by the malicious threat actors,” he says, including restricting the use of xp_cmdshell as part of their standard operating procedure. The report also recommended that organizations monitor common malware staging directories, in particular “C:\Windows\Temp,” and deploying additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.

Malicious activity targeting vulnerable SQL servers has surged 174% compared to 2022, a July report from Palo Alto’s Unit 42 discovered.