Threat Actors Exploits SQL Servers to Deploy FreeWorld Ransomware

Threat actors are exploiting vulnerable Microsoft SQL servers, deploying Cobalt Strike and a ransomware strain named FreeWorld. 

According to cybersecurity firm Securonix, the campaign is notable for the way its infrastructure and toolkit are used. The firm has named the campaign DB#JAMMER.

“Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads[…]The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld,” says security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a technical breakdown of the activity.

The attackers first gain access to the victim host by brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance.

Next, they take certain steps to disable system firewall in order to develop persistence and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the targeted system.

This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.

The researchers concluded, “The attack initially suc

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: