MSSQL Databases Under Fire From FreeWorld Ransomware

A cyberattack campaign has been discovered compromising exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.

According to an investigation by Securonix, the typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called “FreeWorld,” named for the inclusion of the word “FreeWorld” in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is “.FreeWorldEncryption.”

The attackers also establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk; and, they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network. And finally, the threat actors also carried out configuration changes, from user creation and modification to registry changes, to impair defenses.

Securonix calls the campaign “DB#JAMMER,” and the research team said it exhibits a “high level of sophistication” in terms of the attacker’s utilization of tooling infrastructure and payloads, as well as its rapid execution.

“Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads,” Securonix researchers noted in the report.

“This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix.

Kolesnikov points out the campaign is still ongoing, but his assessment is that it is a relatively targeted campaign at its current stage.

“Our current assessment at this stage is the risk level is medium to high because there are some indications the infiltration vectors used by attackers are not limited to MSSQL,” he…