Data Center Ransomware Attacks on Rise: Microsoft SQL Server Prime Target

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Ransomware threats are increasingly targeting data center servers and workloads as the initial step in the attack chain.

These systems may not be up-to-date with recommended patches, often run legacy applications without vendor security updates, or may not be scheduled for patch updates to maintain business continuity.

As a result, data centers face a high risk of cyber attacks and ransomware activities.

Microsoft SQL Server – a Prime Target

Database workloads host sensitive data and power mission-critical business services, making them valuable targets for ransomware actors to steal data and extort a ransom by encrypting critical data files.

Microsoft SQL Server is one of the most popular databases deployed globally and an irresistible target for ransomware.

This is primarily because it is deployed on Windows, where attackers have abundant malware tools at their disposal to use as payloads and some that can be leveraged by living off the land.

Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Broadcom has recently released a blog post that brings attention to the increasing number of ransomware attacks targeting data centers, mainly Microsoft SQL Server.

Poorly configured SQL servers and weak admin passwords allow brute force attacks or SQL injection, enabling unauthorized access and data exfiltration.

Compromised systems may then be used as access points to be sold to other parties or for installing additional malicious payloads, ultimately for data exfiltration or financial extortion.

Notable Cyber Threat Activity against Microsoft SQL Server

  • Mimic ransomware, where the initial access was obtained by brute force on exposed Microsoft SQL servers
  • Mallox ransomware, where the initial access attempts were made using a dictionary brute force attack, followed by cmd shell execution for further activities
  • CLR SQLShell, similar to the xp_cmdshell stored procedure used to execute shell commands on Microsoft SQL servers
  • CL0P ransomware exploited a SQL injection zero-day vulnerability CVE-2023-34362 in the MOVEit file transfer application to install a web shell named LEMURLOOT
  • Freeworld ransomware, a new variant of Mimic, is also accessed by brute force on unsecured Microsoft SQL servers.
  • Bluesky ransomware also gained initial access from brute force login to the same account and then enabled the xp_cmdshell stored procedure to execute shell commands

The DCS solution includes network controls, software execution control, software install restrictions, operating system restrictions, process access control, and protected app control, all of which work together to provide zero-day protection against the latest ransomware threats.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP