Thursday, March 28, 2024

Ransomware Now Attacking MySQL Databases

Early this year, specialists cautioned of a spike in quantity of attacks against MongoDB frameworks, criminals asked for the payment of a ransom to return information and help the organization to settle the defect they abused.

So also to the MongoDB attacks, owners are told to pay a 0.2 Bitcoin to deliver (approx. $200) to recover access to their content.

Attack Summary

Investigators from guardicore reported that attacks began at midnight at 00:15 on February 12 and kept going around 30 hours in which many attacks were accounted for by GGSN.

The attack begins with “root” password brute-forcing. Once signed in, it brings a rundown of the current MySQL databases and their tables.

Then it makes another table called “WARNING” that incorporates a contact email address, a bitcoin address, and a payment demand.

Investigators traced down the source IP 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting organization.

The attacker is (likely) running from a compromised mail server which additionally fills in as HTTP(s) and FTP server.

Attack Variants

  • In one variation of the attack, the table is added to a current database.
  • In Another variation, the table is added to a recently made database called ‘PLEASE_READ‘.
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email)
VALUES(‘1′,’Send 0.2 BTC to this address and contact this email
with your ip or db_name of your server to recover your database!
Your DB is Backed up to our servers!’,
‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘[email protected]’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE!
SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!
To access this site you have use the tor browser
https://www.torproject.org/projects/torbrowser.html.en’)
  1. One version offers the victims to reestablish their information by reaching the accompanying email address – ‘[email protected]‘ and uses the Bitcoin wallet 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9.
  2. The second version offers the owners to visit the accompanying darknet site ‘http://sognd75g4isasu2v.onion/” to recoup the lost information and uses the Bitcoin wallet 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY .
Ransomware Now Attacking MySQL Databases

As there are no traces for dump operation or data exfiltration happened.

Experts from guardicore before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored.

Prevention method suggested by Experts

Every MySQL server facing the internet is prone to this attack, so make sure your servers are hardened.

Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This can be easily achieved using GuardiCore Centra.

Also read:

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles