Hackers Targeting Servers Running Database Services For Mining Cryptocurrency

Security researchers cause got discovered multiple laid on campaigns conducted yesteryear an established Chinese criminal grouping that operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive information together with edifice a DDoS botnet.

The researchers from safety theatre GuardiCore Labs cause got analyzed thousands of attacks launched inward recent months together with identified at to the lowest degree 3 laid on variants—Hex, Hanako, together with Taylor—targeting dissimilar MS SQL together with MySQL servers for both Windows together with Linux.

The goals of all the 3 variants are different—Hex installs cryptocurrency miners together with remote access trojans (RATs) on infected machines, Taylor installs a keylogger together with a backdoor, together with Hanako uses infected devices to construct a DDoS botnet.

So far, researchers cause got recorded hundreds of Hex together with Hanako attacks together with tens of thousands of Taylor attacks each calendar month together with found that nearly compromised machines are based inward China, together with only about inward Thailand, the United States, Nihon together with others.

To attain unauthorized access to the targeted database servers, the attackers purpose animal strength attacks together with and thence run a serial of predefined SQL commands to attain persistent access together with evade audit logs.

What's interesting? To launch the attacks against database servers together with serve malicious files, attackers purpose a network of already compromised systems, making their laid on infrastructure modular together with preventing takedown of their malicious activities.

For achieving persistent access to the victim's database, all 3 variants (Hex, Hanko, together with Taylor) practise backdoor users inward the database together with opened upwards the Remote Desktop port, allowing attackers to remotely download together with install their adjacent phase attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.

"Later inward the attack, the aggressor stops or disables a multifariousness of anti-virus together with monitoring applications yesteryear running trounce commands," the researchers wrote inward their weblog postal service published Tuesday. 

"The anti-virus targeted is a mixture of well-known products such every bit Avira together with Panda Security together with niche software such every bit Quick Heal together with BullGuard."

Finally, to comprehend their tracks, the attackers deletes whatsoever unnecessary Windows registry, file, together with folder entry using pre-defined batch files together with Visual Basic scripts.

Administrators should banking corporation tally for the beingness of the next usernames inward their database or systems inward club to position if they cause got been compromised yesteryear the Chinese criminal hackers.

• hanako
• kisadminnew1
• 401hk$
• Guest
• Huazhongdiguo110

To preclude compromise of your systems, researchers advised administrators to ever follow the databases hardening guides (provided yesteryear both MySQL together with Microsoft), rather than only having a potent password for your databases.

"While defending against this type of attacks may audio slowly or trivial—'patch your servers together with purpose potent passwords'—we know that 'in existent life' things are much to a greater extent than complicated. The best agency to minimize your exposure to campaigns targeting databases is to command the machines that cause got access to the database," the researchers advised. 

"Routinely review the listing of machines that cause got access to your databases, perish along this listing to a minimum together with pay exceptional attending to machines that are accessible straight from the internet. Every connecter elbow grease from an IP or domain that does non belong to this listing should live on blocked together with investigated."

Share This :