Recently searched:

Threat Actors Targeting Microsoft Sql Servers To Deploy Freeworld RansomwareNews 

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld.

Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER, said it stands out for the way the toolset and infrastructure is employed.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity.

"The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld."

Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance.

The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB share to transfer files to and from the victim system as well as install malicious tools such as Cobalt Strike.

This, in turn, paves the way for the distribution of AnyDesk software to ultimately push FreeWorld ransomware, but not before carrying out a lateral movement step. The unknown attackers are also said to have unsuccessfully attempted to establish RDP persistence through Ngrok.

"The attack initially succeeded as a result of a brute force attack against a MS SQL server," the researchers said. "It's important to emphasize the importance of strong passwords, especially on publicly exposed services."

The disclosure comes as the operators of the Rhysida ransomware have claimed 41 victims, with more than half of them located in Europe.

Rhysida is one of the nascent ransomware strains that emerged in May 2023, adopting the increasingly popular tactic of encrypting and exfiltrating sensitive data from organizations and threatening to leak the information if the victims refuse to pay.
 
Microsoft really should up their security seems so bad latley
 
Home Register
Top Bottom