Menace actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to ship Cobalt Strike and a ransomware pressure referred to as FreeWorld.
Cybersecurity agency Securonix, which has dubbed the marketing campaign DB#JAMMER, mentioned it stands out for the way in which the toolset and infrastructure is employed.
“A few of these instruments embrace enumeration software program, RAT payloads, exploitation and credential stealing software program, and eventually ransomware payloads,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a technical breakdown of the exercise.
“The ransomware payload of selection seems to be a more moderen variant of Mimic ransomware referred to as FreeWorld.”
Preliminary entry to the sufferer host is achieved by brute-forcing the MS SQL server, utilizing it to enumerate the database and leveraging the xp_cmdshell configuration choice to run shell instructions and conduct reconnaissance.
The following stage entails taking steps to impair system firewall and set up persistence by connecting to a distant SMB share to switch information to and from the sufferer system in addition to set up malicious instruments akin to Cobalt Strike.
This, in flip, paves the way in which for the distribution of AnyDesk software program to in the end push FreeWorld ransomware, however not earlier than finishing up a lateral motion step. The unknown attackers are additionally mentioned to have unsuccessfully tried to ascertain RDP persistence by means of Ngrok.
“The assault initially succeeded on account of a brute drive assault in opposition to a MS SQL server,” the researchers mentioned. “It is essential to emphasise the significance of robust passwords, particularly on publicly uncovered providers.”
The disclosure comes because the operators of the Rhysida ransomware have claimed 41 victims, with greater than half of them positioned in Europe.
Rhysida is without doubt one of the nascent ransomware strains that emerged in Might 2023, adopting the more and more standard tactic of encrypting and exfiltrating delicate knowledge from organizations and threatening to leak the data if the victims refuse to pay.
It additionally follows the discharge of a free decryptor for a ransomware referred to as Key Group owing to a number of cryptographic errors in this system. The Python script, nevertheless, solely works on samples compiled after August 3, 2023.
“Key Group ransomware makes use of a base64 encoded static key N0dQM0I1JCM= to encrypt victims’ knowledge,” Dutch cybersecurity firm EclecticIQ mentioned in a report launched Thursday.
“The menace actor tried to extend the randomness of the encrypted knowledge through the use of a cryptographic method referred to as salting. The salt was static and used for each encryption course of which poses a major flaw within the encryption routine.”
Detect, Reply, Defend: ITDR and SSPM for Full SaaS Safety
Uncover how Identification Menace Detection & Response (ITDR) identifies and mitigates threats with the assistance of SSPM. Learn to safe your company SaaS functions and defend your knowledge, even after a breach.
2023 has witnessed a report surge in ransomware assaults following a lull in 2022, at the same time as the proportion of incidents that resulted within the sufferer paying have fallen to a report low of 34%, in line with statistics shared by Coveware in July 2023.
The common ransom quantity paid, however, has hit $740,144, up 126% from Q1 2023.
The fluctuations in monetization charges have been accompanied by ransomware menace actors persevering with to evolve their extortion tradecraft, together with sharing particulars of its assault methods to point out why its victims aren’t eligible for a cyber insurance coverage payout.
“Snatch claims they may launch particulars of how assaults in opposition to non-paying victims succeeded within the hope that insurers will resolve that the incidents shouldn’t be lined by insurance coverage ransomware,” Emsisoft safety researcher Brett Callow mentioned in a put up shared on X (previously Twitter) final month.
