Mallox Ransomware Group Activity Shifts Into High Gear

/in


A ransomware actor with a penchant for breaking into target networks via vulnerable SQL servers has suddenly become very active over the past several months and appears poised to become an even bigger threat than it is already.

The group, tracked as Mallox — aka TargetCompany, Fargo, and Tohnichi — first surfaced in June 2021 and claims to have infected hundreds of organizations worldwide since then. The group’s victims include organizations in the manufacturing, retail, wholesale, legal, and professional services sectors.

Sudden Surge

Starting earlier this year, threat activity related to the group has surged, particularly in May, according to researchers at Palo Alto Networks’ Unit 42 threat intelligence team. Palo Alto’s telemetry, and that from other open threat intelligence sources, show a startling 174% increase in Mallox-related activity so far this year, compared to 2022, the security vendor said in a blog this week.

Previously, Mallox was known for being a relatively small and closed ransomware group, says Lior Rochberger, senior security researcher at Palo Alto Networks, attributes the explosive activity to concerted efforts by group leaders to grow Mallox operations.

“In the beginning of 2023, it appears that the group started putting more efforts into expanding its operations by recruiting affiliates,” she says. “This can potentially explain the surge we observed during this year, and especially more recently, around May.”

The Mallox group’s typical approach for gaining initial access on enterprise networks is to target vulnerable and otherwise insecure SQL servers. Often they start with a brute-force attack where the adversary uses a list of commonly used passwords or known default passwords against an organization’s SQL servers.

Targeting Insecure SQL Servers

Researchers have observed Mallox exploiting at least two remote code execution vulnerabilities in SQL — CVE-2020-0618 and CVE-2019-1068, Rochberger says.

So far, Unit 42 has only observed Mallox infiltrating networks via SQL servers. But other researchers have reported recent attempts to distribute Mallox via phishing emails, suggesting that new affiliate groups are involved now as well, Rochberger says.

“After…

Source…