Information such as financial records, customer information, and intellectual property that may be sold on the black web markets is what MS-SQL servers commonly store.
A hacked MS-SQL server can present an entry point into the organization's network, from where ransomware can be deployed or other malicious activities can be carried out.
Due to weak passwords, unpatched vulnerabilities, and misconfigurations in MS-SQL installations, threat actors using automated scanning and exploitation tools find them appealing.
Recently, cybersecurity researchers at Sekoi discovered that hackers have been actively exploiting the MS-SQL servers to deploy Malloz ransomware.
Post-intrusion, the attackers leveraged MS-SQL exploits to deploy Mallox ransomware using PureCrypter.
Investigating Mallox samples revealed two affiliate groups - one exploiting vulnerabilities, the other conducting broader system compromises.
When analyzing the logged attacker actions, two different recurring exploitation schemes were revealed.
These schemes were likely executed using scripts or tools.
By examining IoCs and TTPs, it was found that 19 out of many attempts identified a pair of separate patterns corresponding to one and the same intrusion set.
The MS-SQL exploitation attempts deployed payloads corresponding to PureCrypter, which downloaded files with random multimedia extensions containing encrypted.
These libraries were Reflectively loaded, decrypting, and executing the next stage of PureCrypter payload that finally loaded the Mallox ransomware from its resources.
PureCrypter employs evasion techniques like environment detection, privilege adjustments, and deflating or decrypting embedded resources.
When PureCrypter failed, the attacker attempted direct Mallox deployment.
Mallox is a notorious ransomware-as-a-service operation that distributes multiple variants of the Mallox ransomware, also known as Fargo, TargetCompany, etc.
It accelerated attacks in late 2022 using double extortion, becoming one of the most distributed ransomware families in early 2023.
Mallox operators exploit vulnerabilities in MS-SQL servers, brute-force weak credentials, and leverage phishing for initial access.
It then shifted to specialized negotiation sites on TOR and used a triple extortion strategy, reads the report.
In 2022-2023, Mallox soiled its hands by heavily impacting Asian victims in various fields such as manufacturing and retail, despite claiming to avoid attacking Eastern Europe.
The website for releasing dumped information contained over 35 victims' names.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 13 May 2024 14:00:19 +0000