Saturday, April 13, 2024

Hackers From Chinese APT-27 Group Initiated 15000 Attacks Against MySQL Servers to Compromise Enterprise Networks

Cybercriminals from APT-27 group targetting the high profile enterprise networks by exploiting MySQL server through malware such as NewCoreRAT(Remote Access Trojan) linked with Chinese APT Campaign.

Most of the enterprise networks relay with a cloud platform to store their sensitive data, at the same time attackers equally using cloud services to run their bots and C&C on cloud servers.

Even though enterprises patch all the vulnerabilities related to OS, they failed to secure the server machine running MySQL, which is open to the public Internet.

Based on the Shodan search result, there are nearly 4.9 million MySQL servers configured to run on public IP. The MySQL service runs with system privilege, so if an attacker enters into the network using MySQL then they can gain complete access to the infected machine without any vulnerability.

Researchers from Quick Heal observed nearly 15000 attacks in their honeypot system, in which, 34% of attack targeting Germany and rest of the attacks are focusing with other countries including United States, France, China, Poland, and Russia.

Threat Actors Different Approaches

Attackers using two different approaches to abuse the MYSQL servers and to compromise the associated enterprise network.

1 They try to get an entry into the database server, drop existing tables and insert a ransom note as a blob in a newly created table.

2. In the second attack approach, they use MySQL as an entrance into Linux or Windows system and then drop a backdoor, miner or ransomware into the victim host.

Threat actors are abusing the MYSQL server by exploiting the weakness such as default credentials like root, and brute force attack with 1000 well-known passwords and SQL injection.

Apart from this approach, attackers also make use of WebShell and authentication bypass vulnerability that allows them to take control over the server without any credential to manipulate the data and even delete it or steal it.

According to Quick Heal Research, Attackers use the function for download file from URL and execute them on the infected server. Every application executed by mysqld.exe will run with system privilege. They evade detection and can be used to launch file-less malware attacks.

Alongside, there are various malware distributed using MySQL as a source this include virus, backdoor, miner.

Researchers also received NewCore RAT sample from APT-27, Chinese APT actors mainly targeting government entities and data centers.

“After dropping the malicious database, the attacker inserts ransom note and ask for ransom. But it is suggested that in this type of attack, don’t pay the ransom as the attacker is not reading or taking a backup of database so there is no way that they can restore the database after payment.” Quick Head Reported.

Indicator of Compromise

IDS/IPS Detection:


Virus Protection Detection:


Attack IOC’s:




You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles