Poor security in MS SQL results in an “open door”

Every day, it seems as though hackers are finding new and creative ways to infiltrate the network of companies, organizations and government agencies all over the world.  From Exchange exploits to using a companies own software against them (see our LogicMonitor story for more information) to attacking a Microsoft SQL (MS SQL) server, hackers will use any means they can to gain access.

Deploying a new variant of the Mimic ransomware, named FreeWorld, requires access to the internal network of the target organization.  Hackers are now taking advantage of poorly secured MS SQL servers in order to gain access to networks.

By using a brute-force approach, hackers get access to a MS SQL instance, enumerate the database and use the xp_cmdshell option in order to run commands via a shell.  Although it seems useless to gain access to a MS SQL server, the xp_cmdshell option gives them the option to survey the network before moving on.  They can lay dormant, studying your network and servers before making any additional movements.

Once they’re in, have an understanding of your environment and are ready to deploy, they take steps to disable firewalls and establish persistence by transferring files to an open SMB share and installing tools like Cobalt Strike.  Additional tools such as AnyDesk are ultimately installed in order to drop the FreeWorld ransomware on the target network.

Analysts and researchers all over the world are re-emphasizing the point that strong passwords are crucial, along with other security features such as two-factor authentication.  Using default passwords for software is also frowned upon as hackers have a list of all known default usernames and passwords for all kinds of applications.  A target using default passwords makes the job of the hacker a lot easier.

This news comes in the wake of all the other ransomware news that’s happened over the last few months.  Ransomware attacks appear to be on the rise and they’re claiming more and more victims.  The Rhysida ransomware has crippled at least 41 companies, most of them in Europe.  Payments for ransomware is also around $800,000 on average, but the price can drastically increase depending on the amount and type of data that was exfiltrated.

It’s important to stay vigilant with cyber-attacks because the attackers never sleep.  Using AI and other automated techniques, hackers are able to scour the internet for targets, attempt to make connections and for those they connect with, begin the process of gaining persistence in the network.  It’s why it’s also important to have the right people on your side, to help you protect your companies data and important IT infrastructure.  Without it, businesses couldn’t function.

If you’re interested in finding out more about what Balance Business Group has to offer and how we can help you ensure your organization stays safe in the face of mounting cyber-attacks, email us today.  Contact sales@bbg-mn.com to get the discussion started and let us help you navigate the digital storm of attacks and maliciousness.  

“Hackers will use any means necessary to gain access to your network.  They don’t care how they get in, they just want in so they can make you pay.”