Threat actors are using MS SQL servers with weak security to spread Cobalt Strike and a type of malware called FreeWorld.
Securonix, a cybersecurity company, has given the operation the name DB#JAMMER and said that it stands out because of how the toolset and infrastructure are used.
In a detailed analysis of the operation, security experts Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said that some of the tools used were “enumeration software,” “RAT payloads,” “exploitation and credential-stealing software,” and “ransomware payloads.”
“The most popular malware payload seems to be a newer version of Mimic called FreeWorld.”
By brute-forcing the MS SQL server, enumerating the database, and using the xp_cmdshell configuration option to run shell commands and do reconnaissance, the attacker gains initial access to the target host.
The next step is to disable the system firewall and set up resilience through a connection to a distant SMB share to send and receive documents to and from the target system and install harmful tools like Cobalt Strike.
This, in turn, clears the way for the spread of AnyDesk software, which will eventually push FreeWorld ransomware, but only after a step to move laterally. People say that the mystery attackers also tried to set up RDP persistence through Ngrok but failed.
“A brute force attack against an MS SQL server made the attack work at first,” the experts said. “It’s essential to stress the significance of strong passwords, particularly for services that are open to the public.”
The news comes as the people behind the Rhysida virus have already taken money from 41 people, with more than half of them in Europe.
Rhysida is one of the new types of ransomware that appeared in May 2023. It uses a growing prevalent technique of encrypting and stealing private data from enterprises and attempting to leak the data if the victims don’t pay.
It also follows the availability of an open-source decryptor for a type of ransomware called Key Group, which took advantage of several mistakes in the program’s encryption. But the Python tool only works with samples that were put together after August 3, 2023.
“Key Group ransomware employs a base64-encoded static key N0dQM0I1JCM= to encrypt victims’ data,” a Dutch cybersecurity company called EclecticIQ said in a report that came out Thursday.
“The threat agent used a cryptographic method called ‘salting’ to try to make the data that was encrypted even more random. The salt was always the same and was used in every encryption process. This is a major flaw in the encryption method.”
After a downturn in 2022, ransomware attacks reached a record high in 2023. However, the number of cases where the target paid the ransom has dropped to a record low of 34%, according to data released by Coveware in July 2023.
On the other hand, the average debt paid has reached $740,144, which is 126% more than in Q1 2023.
Along with the changes in monetization rates, ransomware threat actors have continued to improve their extortion techniques. For example, they share information about their attack methods to show why victims don’t qualify for a cyber insurance payout.
Emsisoft security expert Brett Callow said in a post on X (formerly Twitter) last month that “Snatch states they are going to disclose specifics of how assaults on non-paying victims worked in the hopes that policyholders will ultimately decide that the events should not be covered by insurance ransomware.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read more articles Here