Security researchers have identified that threat actors are specifically exploiting poorly secured MS-SQL instances to install Ammyy Admin, a legitimate remote desktop software that can be misused for unauthorized access, alongside a privilege escalation tool known as PetitPotato. After initial compromise, the threat actors enable Remote Desktop Protocol (RDP) services on the compromised servers, allowing them alternate access methods should their primary entry point be discovered. A sophisticated cyberattack campaign targeting vulnerable Microsoft SQL servers has been discovered, aiming to deploy remote access tools and privilege escalation malware. Once access is gained, the threat actors execute a series of commands to harvest system information, allowing them to tailor their approach to the targeted environment. The researchers note that the campaign bears similarities to previous attacks attributed to financially motivated threat actors, though definitive attribution remains challenging. This multi-layered persistence strategy demonstrates the sophisticated nature of the campaign and highlights the importance of comprehensive security monitoring beyond simple malware detection. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attackers leverage these compromised servers to establish persistent access to victim networks, potentially enabling data theft and lateral movement within organizational infrastructure. The attack begins with the identification of MS-SQL servers with weak security configurations, including default credentials or exposed management ports. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Apr 2025 12:00:05 +0000