MySQL server

Cybercriminals from APT-27 group targetting the high profile enterprise networks by exploiting MySQL server through malware such as NewCoreRAT(Remote Access Trojan) linked with Chinese APT Campaign.

Most of the enterprise networks relay with a cloud platform to store their sensitive data, at the same time attackers equally using cloud services to run their bots and C&C on cloud servers.

Even though enterprises patch all the vulnerabilities related to OS, they failed to secure the server machine running MySQL, which is open to the public Internet.

Based on the Shodan search result, there are nearly 4.9 million MySQL servers configured to run on public IP. The MySQL service runs with system privilege, so if an attacker enters into the network using MySQL then they can gain complete access to the infected machine without any vulnerability.

Researchers from Quick Heal observed nearly 15000 attacks in their honeypot system, in which, 34% of attack targeting Germany and rest of the attacks are focusing with other countries including United States, France, China, Poland, and Russia.

Threat Actors Different Approaches

Attackers using two different approaches to abuse the MYSQL servers and to compromise the associated enterprise network.

1 They try to get an entry into the database server, drop existing tables and insert a ransom note as a blob in a newly created table.

2. In the second attack approach, they use MySQL as an entrance into Linux or Windows system and then drop a backdoor, miner or ransomware into the victim host.

Threat actors are abusing the MYSQL server by exploiting the weakness such as default credentials like root, and brute force attack with 1000 well-known passwords and SQL injection.

Apart from this approach, attackers also make use of WebShell and authentication bypass vulnerability that allows them to take control over the server without any credential to manipulate the data and even delete it or steal it.

According to Quick Heal Research, Attackers use the function for download file from URL and execute them on the infected server. Every application executed by mysqld.exe will run with system privilege. They evade detection and can be used to launch file-less malware attacks.

Alongside, there are various malware distributed using MySQL as a source this include virus, backdoor, miner.

Researchers also received NewCore RAT sample from APT-27, Chinese APT actors mainly targeting government entities and data centers.

“After dropping the malicious database, the attacker inserts ransom note and ask for ransom. But it is suggested that in this type of attack, don’t pay the ransom as the attacker is not reading or taking a backup of database so there is no way that they can restore the database after payment.” Quick Head Reported.

Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.

Indicator of Compromise

IDS/IPS Detection:

MySQL/EXEFileWrite.UN!SP.34758
MySQL/CommandExecution.UN!SP.34759
MySQL/CommandExecution.UN!SP.34760
MySQL/EXEFileWrite.UN!SP.34776

Virus Protection Detection:


W32.Virut.G
Backdoor.Agent
Backdoor.Dofloo.CE99d
Trojan.Mauvaise.SL1
Trojan.Agent.S175662

Attack IOC’s:


D6362BDF13A789790E7CADCD110B9E4D
A5B019DDB693B0EC32B7A400957EDA24
c419cdd0dece9c183b3865b9c2db23fb
6F5E0882316C5BFE9420D91058F53BE8
F0044BCB4B1D4A6A39B766F864D9861A
19230C66AA4A550770D7C83BA8CC6027
B36150FEC88C917112B2C8801511C076
313909878C72ACA7E1D79CE221B1AC47

URL:

43[.]242[.]75[.]228
y[.]aibeichen[.]cn/csrss.exe

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.