Saturday, December 7, 2024
Homecyber securitySTAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations

STAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations

Published on

SIEM as a Service

A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.

This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.

The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.

- Advertisement - SIEM as a Service

This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.

STAC6451 attacks Flaw

Initial Access and Exploitation

STAC6451 primarily targets Microsoft SQL (MSSQL) servers exposed to the Internet. These servers often have weak or default credentials, making them susceptible to brute-force attacks.

Once access is gained, the attackers enable the xp_cmdshell stored procedure, which allows command line execution through the SQL service.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This critical step enables attackers to execute their code and implant malicious payloads into the SQL database. The attackers exploit SQL servers’ default TCP/IP port (1433), which, if left exposed, can be easily targeted.

Using simple account credentials, they carry out brute-force attacks to gain unauthorized access. This method highlights the importance of securing SQL servers with strong, complex passwords and limiting their exposure to the internet.

Discovery and Staging

Once access is secured, the attackers execute discovery commands to gather information about the system. These commands include retrieving the version, hostname, available memory, domain, and username context.

ver & hostname
wmic computersystem get totalphysicalmemory
wmic os get Caption
wmic os get version
wmic computersystem get domain
whoami

The execution of these commands is often automated, indicating a high level of sophistication in the attack.

Aggregated SQL SPID
Aggregated SQL SPID

Staging Malicious Payloads

The attackers use the Bulk Copy Program (BCP) utility to stage additional payloads and tools. This command-line tool copies data between an SQL instance and a file.

By embedding their payloads in the MSSQL database, the attackers can create local files from the malware and tools saved in the database. This method allows them to stage various tools, including AnyDesk for remote access, batch scripts, and PowerShell scripts.

Creating User Accounts

The attackers create various user accounts across victim environments to facilitate lateral movement and maintain persistence.

These accounts are added to the local administrator and remote desktop groups, giving the attackers elevated privileges.

Using automated scripts to create these accounts simultaneously across multiple networks indicates a coordinated effort to compromise numerous victims.

Data displaying automated execution of d.bat simultaneously against various target networks
Data displaying automated execution of d.bat simultaneously against various target networks

The attackers use AnyDesk, a remote desktop application, for initial command and control. Installing AnyDesk on compromised systems allows them to maintain remote access and continue their malicious activities undetected.

PrintSpoofer and Cobalt Strike

The attackers deploy a privilege escalation tool called PrintSpoofer, which exploits weaknesses in the Windows spooler service to gain elevated privileges.

Additionally, they use Cobalt Strike, a legitimate penetration testing tool, for command and control (C2) operations. The attackers can establish C2 connections and execute malicious payloads by deploying a unique Cobalt Strike loader.

Strings Analysis of USERENV.dll
Strings Analysis of USERENV.dll

One of the STAC6451 cluster’s primary objectives is to deploy ransomware. The attackers use the BCP utility to write a ransomware launcher to disk.

They also use AnyDesk to execute batch scripts that launch the ransomware, which encrypts victim files and demands a ransom for decryption.

Targeting Indian Organizations

Sophos MDR has observed STAC6451 explicitly targeting organizations in India across multiple sectors.

The simultaneous execution of identical scripts and uniform tempo of activity across different target environments suggests that the attackers are automating various stages of their attack to exploit and compromise multiple victims swiftly.

Gantt Chart of observed activity sourced from aggregate SQL SPID
Gantt Chart of observed activity sourced from aggregate SQL SPID

While the attackers have been observed deploying Mimic ransomware, their activities also include data collection and likely exfiltration.

This dual approach indicates a financially motivated operation with the potential to make ransom payments and sell stolen data.

Recommendations for Organizations

Securing SQL Servers – Organizations must ensure their SQL servers are not exposed to the internet without proper security measures. Complex passwords should be used intensely, and the xp_cmdshell feature should be disabled unless necessary.

Monitoring and Detection – Implementing robust monitoring and detection systems can help identify and mitigate attacks in their early stages. Tools like Sophos MDR can provide valuable insights and protection against such sophisticated threats.

Regular Security Audits – Regular security audits and vulnerability assessments can help organizations identify and address potential system weaknesses. This proactive approach is essential in staying ahead of evolving threats like STAC6451.

The STAC6451 threat activity cluster represents a significant risk to organizations worldwide, particularly those with exposed SQL servers.

By understanding the tactics, techniques, and procedures employed by these attackers, organizations can better protect themselves and mitigate the impact of such attacks.

As cybersecurity threats evolve, staying informed and vigilant is crucial in safeguarding digital assets and maintaining operational integrity.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...