Ransomware attackers are targeting exposed Microsoft SQL databases, report says

Ransomware campaigns are using internet-exposed Microsoft SQL databases as a beachhead to launch attacks on victim systems, according to researchers.

Cybersecurity company Securonix said that it found examples of hackers exploiting Microsoft SQL (MSSQL) — a popular software product that helps users store and retrieve data requested by applications. Microsoft’s version is one of several database managers that use SQL, short for structured query language.

Oleg Kolesnikov, vice president of threat research at Securonix, told Recorded Future News that the typical attack sequence begins with hackers trying to gain access to exposed Microsoft SQL databases through brute forcing — a hacking method that uses trial and error to crack passwords.

Securonix researchers said it was unclear if the hackers are “using a dictionary-based, or random password spray attempts.”

Once a database’s password is cracked, “the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch a number of different payloads,” including remote access trojan (RAT) malware and ransomware, Kolesnikov said.

“This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” he said.

After the hackers break in, they use a variety of tools to map out the network, steal credentials and eventually deploy ransomware.

Securonix did not attribute the attacks to any known group but found that the hackers deployed ransomware called FreeWorld, a new variant of the Mimic ransomware. Mimic was spotlighted earlier this year by researchers at TrendMicro after first being seen in the wild in June 2022.

It targets Russian- and English-speaking users and TrendMicro said there are indicators tying it to the Conti ransomware builder that was leaked last year.

“Given how quickly the attackers got to work, this attack appears to be quite sophisticated from tooling to infrastructure,” Securonix researchers said.

Using legitimate IT tools

The hackers painstakingly disable the system’s defenses before creating administrator accounts that provide them with widespread access.

In the case examined by Securonix, the threat actors tried a number of different methods in order to exfiltrate data and import the tools needed to gain further persistence in the victim systems.

Several tools were blocked by the victim’s firewall, but the hackers eventually succeeded with the AnyDesk remote access software — a legitimate IT tool increasingly popular among threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) warned earlier this year that malicious hackers are deploying commercial remote monitoring and management (RMM) software.

“Upon execution, the ransomware began encrypting the victim host and generated encrypted files using the ‘.FreeWorldEncryption’ extension. Once it has run through its course, it will create a text file named ‘FreeWorld-Contact.txt’ with instructions as to how to pay the ransom,” the Securonix report said.

The company said organizations using Microsoft SQL databases should not expose them to the internet — advice that CISA has been pushing more fervently in recent months.

The agency said in June that it is now working with federal agencies to remove network management tools from the public-facing internet after researchers discovered hundreds were still publicly exposed.