Tuesday, October 15, 2024
HomeRansomwareRansomware Now Attacking MySQL Databases

Ransomware Now Attacking MySQL Databases

Published on

Malware protection

Early this year, specialists cautioned of a spike in quantity of attacks against MongoDB frameworks, criminals asked for the payment of a ransom to return information and help the organization to settle the defect they abused.

So also to the MongoDB attacks, owners are told to pay a 0.2 Bitcoin to deliver (approx. $200) to recover access to their content.

Attack Summary

Investigators from guardicore reported that attacks began at midnight at 00:15 on February 12 and kept going around 30 hours in which many attacks were accounted for by GGSN.

- Advertisement - SIEM as a Service

The attack begins with “root” password brute-forcing. Once signed in, it brings a rundown of the current MySQL databases and their tables.

Then it makes another table called “WARNING” that incorporates a contact email address, a bitcoin address, and a payment demand.

Investigators traced down the source IP 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting organization.

The attacker is (likely) running from a compromised mail server which additionally fills in as HTTP(s) and FTP server.

Attack Variants

  • In one variation of the attack, the table is added to a current database.
  • In Another variation, the table is added to a recently made database called ‘PLEASE_READ‘.
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email)
VALUES(‘1′,’Send 0.2 BTC to this address and contact this email
with your ip or db_name of your server to recover your database!
Your DB is Backed up to our servers!’,
‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘backupservice@mail2tor.com’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE!
SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!
To access this site you have use the tor browser
https://www.torproject.org/projects/torbrowser.html.en’)
  1. One version offers the victims to reestablish their information by reaching the accompanying email address – ‘backupservice@mail2tor.com‘ and uses the Bitcoin wallet 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9.
  2. The second version offers the owners to visit the accompanying darknet site ‘http://sognd75g4isasu2v.onion/” to recoup the lost information and uses the Bitcoin wallet 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY .
Ransomware Now Attacking MySQL Databases

As there are no traces for dump operation or data exfiltration happened.

Experts from guardicore before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored.

Prevention method suggested by Experts

Every MySQL server facing the internet is prone to this attack, so make sure your servers are hardened.

Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This can be easily achieved using GuardiCore Centra.

Also read:

Latest articles

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...