Security researchers saw a spate of attacks targeting Windows servers running MySQL databases to infect them with the GandCrab ransomware (detected by Trend Micro as Ransom.Win32.GANDCRAB.SMILC). The attacks, which were first uncovered last May 19 via honeypots, entail scanning internet-facing MySQL databases and checking if they're running on Windows operating systems. Malicious SQL commands are then executed to upload a file that will retrieve and help execute the ransomware.
According to Sophos’ Andrew Brandt, who observed the intrusions, the scanning activities search for unsecure or misconfigured MySQL databases or firewalls. This includes attacks on MySQL servers that have exposed port 3306, the default port that MySQL uses.
Brandt noted that the versions/samples of GandCrab involved in the attacks were already downloaded over 2,300 times. While the numbers are relatively low, the attack still poses significant security risks. MySQL is a ubiquitous database technology with a reported market share of over 50%.
This is not surprising, as GandCrab’s authors reportedly peddle the ransomware as a service in the cybercriminal underground. This means GandCrab’s affiliates can distribute their version of the ransomware beyond exploit kits and spam. More recently, cybercriminals were seen targeting hosts installed with vulnerable Confluence collaboration software.
GandCrab isn’t the first to target MySQL databases. An iteration of the notorious Cerber, for instance, also targets database programs and encrypts related files. There are also the cyberextortioncampaigns that targeted poorly secured MongoDB databases. The attacks involve identifying publicly and remotely accessible MongoDB databases, deleting their contents, then extorting their owners.
While ransomware may not be as pervasive as it was before, GandCrab’s latest activity shows how the stakes are getting higher. Ransomware attacks — as shown by LockerGoga and separate incidents in U.S. counties — are increasingly becoming more targeted, and its impact more significant. Given how ransomware would sometimes need only a single weak link to infect an enterprise’s online infrastructure, organizations should adopt defense-in-depth practices such as regularly backing up data; keeping the system updated and patched; securing the use of system administration tools; and ensuring that the database is properly configured. MySQL, for instance, has several guidelines and recommendations on how to secure it.
These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).