Web application security course specialists report an attack campaign deployed by a group of Chinese hackers, which are looking for Windows servers running MySQL databases to infect them with the ransomware variant known as GandCrab.
Members of the cybersecurity community claim
that this attack vector had not been detected before. “The most common
thing for hackers is to search for database servers to infiltrate organizations’
systems to inject cryptocurrency mining malware or steal confidential
information, not to deploy ransomware
attacks,” the experts mentioned.
The specialists who detected this attack
campaign mentioned that, in somehow, the discovery was kind of circumstantial.
In their report, web application security course experts mentioned that hackers
scan the Internet to locate accessible databases online to inject malicious SQL
commands into compromised servers, infecting the host with the aforementioned
ransomware variant.
Most MySQL servers have certain protection
measures, such as passwords, which is why attack campaign operators are
carrying that exhaustive analysis, because it is quite probable that they can
find unprotected databases with erroneous security configurations.
Taking as a reference the hackers’ mode of operation,
web application security course experts consider it to be a group of threat
actors with advanced capabilities, knowledge and extensive resources at their
disposal; however, there is still no evidence of successful attacks.
The experts discovered that the attacks
originated from an open directory remote server running software known as HFS,
which shows the download statistics of malicious loads from hackers. “According
to the data collected, the malicious load has been downloaded more than 500
times”, mentions the experts’ report.
According to the specialists from the
International Institute of Cyber Security (IICS), this is not a campaign too
ambitious or wide-ranging, but it can generate serious consequences for the
administrators of MySQL servers that do not count on the security
configurations required to prevent malicious code injection through port 3306.
