Microsoft SQL servers targeted in ransomware attacks

By Scott Marlette Last updated Sep 26, 2022

An ongoing campaign is looking to distribute the FARGO ransomware (opens in new tab) to as many Microsoft SQL servers as possible, experts have found.

According to cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC), threat actors are picking up pace, looking for unprotected MS-SQL servers, or those protected by weak and easily cracked passwords.

The attackers are engaged in brute-force and dictionary attacks, the researchers further explain, meaning that once they set their sights on specific servers, they’ll try as many password combinations as possible, until one sticks.

Leaks on Telegram

Endpoints with weak passwords can be accessed that way, and once they access the servers, the attackers would encrypt the files and give them a .Fargo3 extension, and place a ransom note titled RECOVERY FILES.txt.

The ransomware skips a couple of Windows system directories while encrypting, including boot files, Tor Browser, Internet Explorer, user customization and settings, the debug log file, and the thumbnail database. In the ransom note, the attackers threaten to release the stolen files on their Telegram channel, unless their demands are met.

Microsoft SQL servers host data used by various internet services and apps, making them pivotal to the day-to-day operations of many organizations. As such, they’re a major target for various cybercriminals looking to deploy malware (opens in new tab) and steal sensitive data.

So far this year, TechRadar Pro has reported twice on crooks attacking MS-SQL servers, once in April, and once in May. In April, a threat actor was spotted dropping Cobalt Strike beacons on vulnerable servers, while in May, crooks were observed brute-force attacking the endpoints.

“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” the Microsoft Security Intelligence team revealed at the time.

This attack, BleepingComputer claims, is “more catastrophic”, as it aims for a quicker profit through blackmail.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.