27 May 2019

New GandCrab ransomware campaign targets MySQL servers on Windows

New GandCrab ransomware campaign targets MySQL servers on Windows

Security researchers from Sophos Labs spotted a new campaign aimed at internet-facing MySQL servers on Windows with the goal of delivering GandCrab ransomware. A wave of attacks was detected through one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.

According to Andrew Brandt, Principal Researcher at Sophos, the first step of the attack involves the attacker connecting to the database server and establishing that it was running MySQL. Then the treat actor injects a small malicious DLL file to the database server by using SQL database commands and invokes the DLL to retrieve the ransomware payload hosted on the attacker’s server.

Then, the attacker uses the “set” command to upload all the bytes that make up the helper DLL, in the form of a long string of hexadecimal characters, into memory in a variable.

The Sophos researchers tracked the attacks back to the remote server with an open directory running server software called HFS, which exposed the information about the number of downloads for any file hosted on the server.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” Sophos observed.

While this campaign does not appear to be massive, it poses a serious risk to MySQL server admins who “have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,” concluded Brandt. He did not reveal if the attacks were successful.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019