Hackers exploit poorly secured MS SQL servers to spread FreeWorld ransomware

Hackers exploit poorly secured MS SQL servers to spread FreeWorld ransomware

Hackers are targeting vulnerable Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.

Spotted by security firm Securonix, the attacks are part of the DB#JAMMER campaign, which stands out for its high level of sophistication in terms of the attacker's use of tooling infrastructure and payloads.

“Some of these tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld,” the Securonix Threat Research team noted in a report.

The attackers gain initial access to the victim host by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance.

The next stage of the attack involves taking steps to weaken system defenses, including disabling Windows Firewall, network security protection and RDP authentication.

The researchers have also observed the threat actor executing commands from an SMB-delivered binary, svr.exe, which appears to be a Cobalt Strike command and control payload. The attackers then attempted to establish RDP persistence via a reverse proxy and tunneling solution called Ngrok, which allows for bypassing the firewall by running a service on the host.

A network port scanner and the Mimikatz credential dumping tools were also deployed to attempt lateral movement to other systems on the network. In the final stage, the attack downloaded a file called “5000.exe,” which dropped a variant of Mimic ransomware called FreeWorld onto the system.

As countermeasures, the researchers advise using strong passwords, limiting the use of the xp_cmdshell stored procedure, leveraging a trusted platform such as a VPN, monitoring common malware staging directories, especially “C:\Windows\Temp,” and deploying additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.


Back to the list

Latest Posts

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Global network of DDoS-for-hire services dismantled in international police op

Global network of DDoS-for-hire services dismantled in international police op

The suspects are believed to have administered six now-defunct websites, which operated as stresser or booter services.
7 May 2025
Popular Posts
Featured vulnerabilities
Password in Configuration File in IBM Sterling Partner Engagement Manager
High Patched | 08 May, 2025
Resource management error in IBM Business Automation Workflow
Low Patched | 08 May, 2025
Sensitive cookie in HTTPS session without 'secure' attribute in IBM Concert Software
Medium Patched | 08 May, 2025
Multiple vulnerabilities in SonicWall SMA100 SSL-VPN
Medium Patched | 08 May, 2025
IBM watsonx.data update for Async Http Client
High Patched | 08 May, 2025