Researchers at cybersecurity firm AhnLab have been tracking attackers that are hacking into unsecured and Interned-exposed Microsoft SQL servers taking advantage of easy-to-guess credentials to deploy Trigona ransomware.
After connecting to a server, the threat actors deploy malware dubbed CLR Shell eventually gaining escalated privileges to Local Systems by exploiting a vulnerability in the Windows Secondary Logon Service.
Before encrypting the system and deploying ransom notes, the attackers:
- Install and launch a dropper malware
- Launch the Trigona ransomware
- Configure the ransomware binary to automatically launch
- Restart Windows via autorun key
- Disable system recovery and
- Delete any Windows Volume Shadow copies
Trigona encrypts all files on victims’ devices excluding those in specific folders, including the Windows and Program Files directories. Furthermore, the gang also claims to steal sensitive documents that will get added to its dark web leak site.
Roy Akerman, Co-Founder & CEO, Rezonate had this comment:
“External recon is an action performed – all the time – by both attackers and legitimate services. Attacker’s ability today to spot a server, that is not patched with a known vulnerability, is high unfortunately. Ransomware is an opportunity, but we have seen, with the recent Log4j library or even struts vulnerability which was used for the Experian breach a few years back, is that a publicly exposed asset, that is not monitored or patched, can quickly become an initial exploitation step, where an attacker can drop webshells, or ransomware, and further expand reach across the enterprise.
“Most often, those servers are out of reach as they are “outside the perimeter” and do not have any agent deployed on them, however, they may have a leg into the more restricted corporate environment due to unused access privileges.”
Hardening anything that is exposed to the Internet as far as I am concerned should be essential. Because whether it is a light bulb, or a SQL server, the bad guys will find it and try to pwn it.
Weak Microsoft SQL Servers Targeted by Trigona Ransomware
Posted in Commentary with tags AhnLab on April 21, 2023 by itnerdResearchers at cybersecurity firm AhnLab have been tracking attackers that are hacking into unsecured and Interned-exposed Microsoft SQL servers taking advantage of easy-to-guess credentials to deploy Trigona ransomware.
After connecting to a server, the threat actors deploy malware dubbed CLR Shell eventually gaining escalated privileges to Local Systems by exploiting a vulnerability in the Windows Secondary Logon Service.
Before encrypting the system and deploying ransom notes, the attackers:
Trigona encrypts all files on victims’ devices excluding those in specific folders, including the Windows and Program Files directories. Furthermore, the gang also claims to steal sensitive documents that will get added to its dark web leak site.
Roy Akerman, Co-Founder & CEO, Rezonate had this comment:
“External recon is an action performed – all the time – by both attackers and legitimate services. Attacker’s ability today to spot a server, that is not patched with a known vulnerability, is high unfortunately. Ransomware is an opportunity, but we have seen, with the recent Log4j library or even struts vulnerability which was used for the Experian breach a few years back, is that a publicly exposed asset, that is not monitored or patched, can quickly become an initial exploitation step, where an attacker can drop webshells, or ransomware, and further expand reach across the enterprise.
“Most often, those servers are out of reach as they are “outside the perimeter” and do not have any agent deployed on them, however, they may have a leg into the more restricted corporate environment due to unused access privileges.”
Hardening anything that is exposed to the Internet as far as I am concerned should be essential. Because whether it is a light bulb, or a SQL server, the bad guys will find it and try to pwn it.
Leave a comment »