Threat actors have been taking advantage of vulnerable Microsoft SQL (MS SQL) servers to distribute Cobalt Strike and a ransomware strain known as FreeWorld. This campaign, named DB#JAMMER by cybersecurity firm Securonix, stands out due to its unique use of toolsets and infrastructure.

The attack begins with brute-forcing the MS SQL server to gain initial access to the victim host. The attackers then enumerate the database and utilize the xp_cmdshell configuration option to execute shell commands and gather intelligence. Following this, they target the system firewall and establish persistence by connecting to a remote SMB share. They transfer files and install malicious tools, including Cobalt Strike.

Once the groundwork is laid, the attackers distribute AnyDesk software and ultimately deploy the FreeWorld ransomware. However, before carrying out the final step, they attempt lateral movement and try to establish RDP persistence through Ngrok.

The success of this attack is largely attributed to weak passwords, particularly on publicly exposed services. The researchers emphasize the importance of using strong passwords to mitigate such risks.

In related news, the Rhysida ransomware has claimed 41 victims, with over half located in Europe. Rhysida is a relatively new ransomware strain that encrypts and exfiltrates sensitive data from organizations, exploiting the threat of data leaks to extort payment from victims.

Furthermore, a free decryptor has been released for Key Group ransomware due to cryptographic errors in the program. However, the decryptor only works on samples compiled after August 3, 2023. Key Group ransomware utilizes a base64 encoded static key for data encryption but suffers from flaws in its encryption routine.

The year 2023 has seen a significant increase in ransomware attacks compared to the previous year, with a record surge in incidents. However, the percentage of victims who actually pay the ransom has dropped to a record low of 34%. Despite this, the average ransom amount paid has risen by 126% to $740,144 in Q1 2023.

Ransomware threat actors continue to evolve their tactics, with some sharing attack details to convince cyber insurance providers that victims should not be eligible for coverage. The group Snatch, for example, has claimed that it will release information on successful attacks against non-paying victims to discourage insurance ransomware coverage.

Definitions:

– MS SQL: Microsoft SQL, a relational database management system developed by Microsoft

– Cobalt Strike: A commercial penetration testing tool used for post-exploitation activities in cybersecurity

– Ransomware: Malicious software that encrypts victims’ files and demands ransom in exchange for the decryption key

– Mimic ransomware: A variant of ransomware that mimics the tactics and techniques of other well-known ransomware strains

– Brute-forcing: A trial-and-error method of guessing a password or encryption key by systematically trying all possible combinations

– Lateral movement: The technique used by threat actors to move through a network to gain unauthorized access to different systems or accounts

– RDP persistence: Remote Desktop Protocol persistence, a technique used to maintain unauthorized access to a system by persistently connecting through RDP

– Cryptographic errors: Mistakes or vulnerabilities in the implementation of cryptographic algorithms or protocols

– Base64 encoded key: A method of serializing binary data to prevent data corruption during transmission

– Cyber insurance: Insurance coverage that protects individuals and businesses against losses from cyber attacks or other cybersecurity incidents

