Security researchers have discovered multiple attack campaigns conducted by an established Chinese criminal group that will operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive data in addition to building a DDoS botnet.
The researchers by security firm GuardiCore Labs have analyzed thousands of attacks launched in recent months in addition to identified at least three attack variants—Hex, Hanako, in addition to Taylor—targeting different MS SQL in addition to MySQL servers for both Windows in addition to Linux.
The goals of all the three variants are different—Hex installs cryptocurrency miners in addition to remote access trojans (RATs) on infected machines, Taylor installs a keylogger in addition to a backdoor, in addition to Hanako uses infected devices to build a DDoS botnet.
So far, researchers have recorded hundreds of Hex in addition to Hanako attacks in addition to tens of thousands of Taylor attacks each month in addition to found that will most compromised machines are based in China, in addition to some in Thailand, the United States, Japan in addition to others.
To gain unauthorized access to the targeted database servers, the attackers use brute force attacks in addition to then run a series of predefined SQL commands to gain persistent access in addition to evade audit logs.
What’s interesting? To launch the attacks against database servers in addition to serve malicious files, attackers use a network of already compromised systems, generating their attack infrastructure modular in addition to preventing takedown of their malicious activities.
For achieving persistent access to the victim’s database, all three variants (Hex, Hanko, in addition to Taylor) create backdoor users inside the database in addition to open the Remote Desktop port, allowing attackers to remotely download in addition to install their next stage attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.
“Later inside the attack, the attacker stops or disables a variety of anti-virus in addition to monitoring applications by running shell commands,” the researchers wrote in their blog post published Tuesday.
“The anti-virus targeted can be a mixture of well-known products such as Avira in addition to Panda Security in addition to niche software such as Quick Heal in addition to BullGuard.”
Finally, to cover their tracks, the attackers deletes any unnecessary Windows registry, file, in addition to folder entry using pre-defined batch files in addition to Visual Basic scripts.
Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.
“While defending against This specific type of attacks may sound easy or trivial—’patch your servers in addition to use strong passwords’—we know that will ‘in real life’ things are much more complicated. The best way to minimize your exposure to campaigns targeting databases can be to control the machines that will have access to the database,” the researchers advised.
“Routinely review the list of machines that will have access to your databases, keep This specific list to a minimum in addition to pay special attention to machines that will are accessible directly by the internet. Every connection attempt by an IP or domain that will does not belong to This specific list should be blocked in addition to investigated.”