Microsoft SQL servers targeted in ransomware attacks
>
An Ongoing Campaign Is Trying To Spread FARGO Ransomware (opens in new tab) to as many Microsoft SQL servers as possible, experts have found.
According to cybersecurity researchers at the AhnLab Security Emergency Response Center (ASEC), threat actors are accelerating in search of unsecured MS-SQL servers or servers protected by weak and easy-to-crack passwords.
The attackers engage in brute-force and dictionary attacks, the researchers further explain, meaning that once they’ve set their sights on specific servers, they’ll try as many password combinations as possible until one sticks.
Leaks on Telegram
Endpoints with weak passwords can be accessed that way, and once they access the servers, the attackers would encrypt the files and give them a .Fargo3 extension, and post a ransom note titled RECOVERY FILES.txt.
The ransomware skips a number of Windows system folders during encryption, including startup files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file, and the thumbnail database. In the ransom note, the attackers threaten to release the stolen files on their Telegram channel unless their demands are met.
Microsoft SQL servers host data used by various Internet services and apps, making them critical to the day-to-day operations of many organizations. As such, they are prime targets for various cybercriminals seeking to deploy malware (opens in new tab) and steal sensitive data.
So far this year, TechRadar Pro has reported twice about crooks attacking MS-SQL servers, once in April and once in May. In April, a threat actor was spotted dropping Cobalt Strike beacons on vulnerable servers, while in May, crooks were seen using brute force attacking the endpoints.
“The attackers achieve fileless persistence by running the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the SQL service’s start mode to LocalSystem”, the Microsoft Security Intelligence team revealed at the time.
this attack, BleepingComputer claims is “more catastrophic” as it seeks faster profits through blackmail.
Through: BleepingComputer (opens in new tab)