STAC6451 Hackers Attacking Microsoft SQL Servers to Compromise Organizations

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A newly identified hacker group, designated as STAC6451, has been actively targeting Microsoft SQL (MSSQL) servers to compromise organizations, primarily in India. This group leverages exposed MSSQL servers to deploy ransomware and other malicious activities, posing a significant threat to various sectors.

STAC6451 exploits MSSQL servers exposed to the public internet through the default TCP/IP port 1433. The group’s tactics, techniques, and procedures (TTPs) include:

  • Unauthorized Access: The group gains initial access by brute-forcing weak credentials on exposed MSSQL servers.
  • Enabling xp_cmdshell: Once access is obtained, attackers enable the xp_cmdshell stored procedure, which allows them to execute arbitrary commands on the server.
  • Using Bulk Copy Program (BCP): The attackers use the BCP utility to stage and deploy malicious payloads, including privilege escalation tools, Cobalt Strike Beacons, and Mimic ransomware binaries.
  • Creating Backdoor Accounts: The Python Impacket library is used to create various backdoor accounts (e.g., “ieadm”, “helpdesk”, “admins124”, “rufus”) for lateral movement and persistence.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

STAC6451 Hackers Attacking Microsoft SQL Servers

STAC6451 primarily targets MSSQL servers that are directly exposed to the internet with weak credentials. After gaining access, the attackers enable the xp_cmdshell stored procedure to execute commands from the SQL instance. This procedure, disabled by default, should not be enabled on exposed servers due to its security risks.

Attack Flow

Once xp_cmdshell is enabled, the attackers execute various discovery commands to gather information about the system, including version, hostname, available memory, domain, and username context. These commands are often automated and executed in a uniform order across multiple victim environments.

The attackers use the BCP utility to copy malicious payloads into the MSSQL database. They then export these payloads to writable directories on the server, staging tools such as AnyDesk, batch scripts, and PowerShell scripts. These tools facilitate further exploitation and persistence.

STAC6451 creates multiple user accounts across victim environments to maintain access and facilitate lateral movement. These accounts are added to the local administrator and remote desktop groups. The attackers also deploy tools like AnyDesk for remote control and enable Wdigest in the registry to store credentials in clear text.

The group uses a malware tool called PrintSpoofer to escalate privileges by exploiting weaknesses in the Windows spooler service. This tool interacts with the spooler service to gain elevated privileges and execute malicious commands or payloads.

Sophos has observed STAC6451 targeting Indian organizations across multiple sectors. While ransomware deployment was blocked in tracked incidents, the threat remains active. The group’s activities indicate a moderate level of sophistication, with automated stages in their attack chain to facilitate pre-ransomware activities.

Recommendations

Organizations can mitigate the risk posed by STAC6451 by:

  • Avoiding exposure of MSSQL servers to the internet.
  • Disabling the xp_cmdshell stored procedure on SQL instances.
  • Using application control to block potentially unwanted applications, such as AnyDesk and the Everything search tool.
  • Regularly update and patch systems to close vulnerabilities.

Here, you can find the full list of IOCs.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download