MySQL servers hit by DDoS malware botnet
Hackers have been observed targeting vulnerable MySQL servers in an attempt to compromise and assimilate them into a Distributed Denial of Service (DDoS) botnet.
Researchers at the AhnLab Security Emergency Response Center (ASEC) came across a hacking campaign during routine database server threat monitoring. The researchers found that the hackers were scanning the internet for MySQL servers and approaching them in two ways: either by trying to exploit a vulnerability in an unpatched environment, or by brute-forcing their way in. Some MySQL endpoints have weak administrator passwords, allowing hackers to win the guessing game and enter the premises.
Once the server has been compromised, the attackers would use a feature called User-Defined Functions (UDF) which would allow them to run commands on the endpoint. The researchers said the hackers would define certain functions in C or C++ and compile them into a DLL, essentially creating their own malicious UDF. This UDF would, among other things, download the Ddostf malware which would bring the device into the botnet fold.
Patching the servers
The threat actors have no intention of using the botnet themselves, the researchers further stated. Instead, they are creating a DDoS-as-a-Service, where other hackers can rent out the service and use the infrastructure for their own attacks, for a fee. The cost of using the Ddostf botnet is unknown at the time.
It is also worth mentioning that the malicious UDF can do more things than just download the malware. Hackers can also use it to steal sensitive data from the server, set up persistent access, and more.
The best way to protect against these attacks, the researchers concluded, is to make sure your MySQL servers are regularly updated and that you don’t stall with installing the patches. Furthermore, having strong login credentials that get refreshed in regular intervals will make brute-force attacks almost impossible to pull off.
Via BleepingComputer
