Threat Research

Attack on MS-SQL Servers Exploiting GotoHTTP

Ahnlab

ASEC reports an attack on exposed MS-SQL servers where threat actors exploited weak credentials to install GotoHTTP, gaining remote control over the systems. The operation also involved CLR SqlShell for command execution, Potato family tools for privilege escalation, and backdoor accounts for persistence. #GotoHTTP #MS-SQL #PetitPotato #JuicyPotato #AnyDesk #ClrSqlShell #BackdoorAccounts

Keypoints

  • AhnLab ASEC identified an attack targeting MS-SQL servers using the GotoHTTP remote control tool.
  • Remote control tools like AnyDesk and GotoHTTP can be misused for unauthorized access to servers.
  • The breach exploited weak MS-SQL credentials before installing CLR SqlShell to run commands.
  • Privilege escalation tools from the Potato family (PetitPotato, SweetPotato, JuicyPotato, GodPotato, PrintNotifyPotato, LocalAdminSharp) were used and backdoor accounts were created for persistence.
  • GotoHTTP stores Computer Id and Access Code in gotohttp.ini to enable remote control.
  • Recommendations include strong passwords, updated security software, and network controls to prevent such attacks.

MITRE Techniques

  • [T1219] Remote Access Tools – Used GotoHTTP for remote control of the infected system. ‘Threat actors used GotoHTTP for remote control of the infected system.’
  • [T1003] Credential Dumping – Commands like ‘whoami.exe’ and ‘systeminfo.exe’ were executed to gather credentials and system information. ‘Commands like ‘whoami.exe’ and ‘systeminfo.exe’ were executed to gather credentials and system information.’
  • [T1098] Account Manipulation – Malware reset passwords and added new user accounts for persistent access. ‘Malware was used to reset passwords and add new user accounts for persistent access.’
  • [T1068] Privilege Escalation – Potato malware was utilized to escalate privileges on the MS-SQL server. ‘Potato malware was utilized to escalate privileges on the MS-SQL server.’

Indicators of Compromise

  • [MD5] context – Hashes associated with malware samples observed in the attack. 1fdb1dd742674d3939f636c3fc4b761f, 45d35c34b2c20cb184afde6ed146e86e, and 3 more hashes
  • [URL] context – URLs used to fetch data or commands. http[:]//121[.]37[.]130[.]173/yow[.]txt, http[:]//121[.]37[.]130[.]173/yow2[.]txt, and 3 more URLs
  • [File Name] context – Configuration file associated with the backdoor. gotohttp.ini
  • [IP Address] context – External host involved in the attack. 121.37.130.173

Read more: https://asec.ahnlab.com/en/83283/