MySQL server

Cybercriminals from APT-27 group targetting the high profile enterprise networks by exploiting MySQL server through malware such as NewCoreRAT(Remote Access Trojan) linked with Chinese APT Campaign.

Most of the enterprise networks relay with a cloud platform to store their sensitive data, at the same time attackers equally using cloud services to run their bots and C&C on cloud servers.

Even though enterprises patch all the vulnerabilities related to OS, they failed to secure the server machine running MySQL, which is open to the public Internet.

Based on the Shodan search result, there are nearly 4.9 million MySQL servers configured to run on public IP. The MySQL service runs with system privilege, so if an attacker enters into the network using MySQL then they can gain complete access to the infected machine without any vulnerability.

Researchers from Quick Heal observed nearly 15000 attacks in their honeypot system, in which, 34% of attack targeting Germany and rest of the attacks are focusing with other countries including United States, France, China, Poland, and Russia.

Threat Actors Different Approaches

Attackers using two different approaches to abuse the MYSQL servers and to compromise the associated enterprise network.

1 They try to get an entry into the database server, drop existing tables and insert a ransom note as a blob in a newly created table.

2. In the second attack approach, they use MySQL as an entrance into Linux or Windows system and then drop a backdoor, miner or ransomware into the victim host.

Threat actors are abusing the MYSQL server by exploiting the weakness such as default credentials like root, and brute force attack with 1000 well-known passwords and SQL injection.

Apart from this approach, attackers also make use of WebShell and authentication bypass vulnerability that allows them to take control over the server without any credential to manipulate the data and even delete it or steal it.

According to Quick Heal Research, Attackers use the function for download file from URL and execute them on the infected server. Every application executed by mysqld.exe will run with system privilege. They evade detection and can be used to launch file-less malware attacks.

Alongside, there are various malware distributed using MySQL as a source this include virus, backdoor, miner.

Researchers also received NewCore RAT sample from APT-27, Chinese APT actors mainly targeting government entities and data centers.

“After dropping the malicious database, the attacker inserts ransom note and ask for ransom. But it is suggested that in this type of attack, don’t pay the ransom as the attacker is not reading or taking a backup of database so there is no way that they can restore the database after payment.” Quick Head Reported.

Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.

Indicator of Compromise

IDS/IPS Detection:


Virus Protection Detection:


Attack IOC’s:




You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Leave a Reply