SQL Brute Force Leads to BlueSky Ransomware

MITRE Techniques

• [T1110] Brute Force – Brute-forcing MSSQL sa account to gain initial access. [“The initial access occurred via a brute-force attack, where the threat actors mainly targeted the System Admin (‘sa’) account.”]
• [T1078] Valid Accounts – Successful login after extensive failed attempts, enabling subsequent actions. [“During the intrusion, we observed over 10,000 failed attempts before successful login.”]
• [T1059.003] Windows Command Shell – xp_cmdshell enabled to issue OS commands on the host. [“The ‘xp_cmdshell’ allows users with sysadmin privilege to execute shell commands on the host.”]
• [T1059.001] PowerShell – Powershell-based commands (base64-encoded) loaded Cobalt Strike C2 and spawned additional shells. [“The threat actors first executed a PowerShell command on the SQL server. The command contained base64 encoded content, which, upon execution, established a connection to a Cobalt Strike command and control server.”]
• [T1055] Process Injection – Winlogon process injection to establish persistence and spawn PowerShell/cmd. [“The injected process then spawned PowerShell and cmd to perform SMB scans and discovery using SMBexec.”]
• [T1021.002] SMB/Windows Admin Shares – Lateral movement toward domain controllers/file shares using remote services. [“Moved laterally toward domain controllers and file shares using remote service creation.”]
• [T1105] Ingress Tool Transfer – Download and execution of Tor2Mine/COBRA components (beacons, scripts). [“The first PowerShell script executed a command to download a Cobalt Strike beacon.”]
• [T1486] Data Encrypted for Impact – BlueSky ransomware encrypts network devices via SMB. [“The BlueSky ransomware binary named vmware.exe was dropped on the beachhead, which upon execution, resulted in network wide ransomware.”]
• [T1053.005] Scheduled Task – Persistence via numerous scheduled tasks (16 tasks in checking.ps1). [“In the script checking.ps1 the threat actor created 16 different tasks on the hosts where Tor2Mine was deployed.”]
• [T1543.003] Windows Service – Persistence via Windows services referencing Tor2Mine miner and related components. [“The function also creates multiple scheduled tasks and services which have references to Tor2Mine miner java.exe.”]
• [T1112] Modify Registry – Registry modifications observed as part of defense evasion. [“registry modifications and service disabling.”]
• [T1562.001] Disable or Modify Tools – Stopping AV (MalwareBytes, Sophos, Windows Defender). [“StopAV, where it tries to disable antivirus solutions.”]
• [T1033] System Owner/User Discovery – Whoami checks to identify the active user. [“The threat actor ran whoami.exe to identify the user context.”]
• [T1003.001] LSASS Memory – Tor2Mine accesses LSASS memory. [“Tor2Mine uses LSASS memory space access.”]
• [T1059.004] Command and Scripting Interpreter – Additional PowerShell-based module behaviors (e.g., PrivTrue/PrivFalse branches). [“PrivTrue() and PrivFalse() paths describe privileged vs non-privileged execution routes.”]