Wednesday, June 19, 2024

Ransomware Now Attacking MySQL Databases

Early this year, specialists cautioned of a spike in quantity of attacks against MongoDB frameworks, criminals asked for the payment of a ransom to return information and help the organization to settle the defect they abused.

So also to the MongoDB attacks, owners are told to pay a 0.2 Bitcoin to deliver (approx. $200) to recover access to their content.

Attack Summary

Investigators from guardicore reported that attacks began at midnight at 00:15 on February 12 and kept going around 30 hours in which many attacks were accounted for by GGSN.

The attack begins with “root” password brute-forcing. Once signed in, it brings a rundown of the current MySQL databases and their tables.

Then it makes another table called “WARNING” that incorporates a contact email address, a bitcoin address, and a payment demand.

Investigators traced down the source IP 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting organization.

The attacker is (likely) running from a compromised mail server which additionally fills in as HTTP(s) and FTP server.

Attack Variants

  • In one variation of the attack, the table is added to a current database.
  • In Another variation, the table is added to a recently made database called ‘PLEASE_READ‘.
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email)
VALUES(‘1′,’Send 0.2 BTC to this address and contact this email
with your ip or db_name of your server to recover your database!
Your DB is Backed up to our servers!’,
‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘[email protected]’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE!
SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!
To access this site you have use the tor browser
https://www.torproject.org/projects/torbrowser.html.en’)
  1. One version offers the victims to reestablish their information by reaching the accompanying email address – ‘[email protected]‘ and uses the Bitcoin wallet 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9.
  2. The second version offers the owners to visit the accompanying darknet site ‘http://sognd75g4isasu2v.onion/” to recoup the lost information and uses the Bitcoin wallet 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY .
Ransomware Now Attacking MySQL Databases

As there are no traces for dump operation or data exfiltration happened.

Experts from guardicore before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored.

Prevention method suggested by Experts

Every MySQL server facing the internet is prone to this attack, so make sure your servers are hardened.

Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This can be easily achieved using GuardiCore Centra.

Also read:

Website

Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles