A Chinese hacker group is currently scanning the Internet for Windows servers running MySQL databases. In this way, the hackers want to infect systems with GandCrab ransomware.

ZDnet calls these attacks somewhat unique. So far, cyber security companies have not seen any actors threatening MySQL servers on Windows systems to then infect them with ransomware. Andrew Brandt, principal investigator at Sophos, discovered the new attacks in a honeypot’s logbooks. He describes the discovery as a stroke of luck.

Hacker groups typically scan for database servers to infiltrate companies and steal their data or intellectual property. It is also possible to install crypto-mining malware. Cases where a hacker group uses ransomware are rare.

Exploitation of incorrectly configured databases

According to Brandt, the hackers search for Internet-accessible MySQL databases, which would accept SQL commands, to check whether the underlying server would be running on Windows. They would then use malicious SQL commands to plant a file on the exposed servers, which they would later run. In addition, the host is infected with the GandCrab ransomware. The hackers focus on exploiting misconfigured or passwordless databases, as most system administrators usually protect their MySQL servers with passwords.

HFS software

The researcher would have been able to trace the attacks back to a remote server with an open directory running server software called HFS. This revealed download statistics for the attacker’s harmful cargoes.

The server seems to indicate more than 500 downloads of the sample, which I saw in the MySQL honeypot download (3306-1.exe). The samples with the names 3306-2.exe, 3306-3.exe and 3306-4.exe are identical to that file, according to Brandt. According to him, there have been over 800 downloads in five days. In addition, there have been more than 2300 downloads of the GandCrab sample in the open directory. Although this is not a particularly massive or widespread attack, it poses a serious risk to MySQL server administrators who, for whatever reason, have plugged a hole in the firewall. This is port 3306 on their database server, which is accessible to the outside world.

Read also: Microsoft warns of serious leak and patches Windows XP

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.