AhnLab Security Intelligence Center (ASEC) has reported a rise in attacks on poorly managed MS-SQL servers involving the installation of Ammyy Admin, a remote control tool often exploited by threat actors. These actors utilize vulnerabilities in MS-SQL servers, commonly using weak credentials, to install malware and gain control of systems remotely. ASEC emphasizes the need for stronger password management and security practices to prevent such breaches. Affected: MS-SQL servers, remote control tools, network security.
Keypoints :
- AhnLab identifies attacks targeting poorly managed MS-SQL servers.
- Ammyy Admin is a legitimate remote control tool exploited for malicious purposes.
- Attackers use weak credentials to compromise vulnerable systems.
- The exploited commands collect system information and download further malicious tools.
- PetitPotato is used for privilege escalation by creating new users and enabling remote access.
- Old versions of Ammyy Admin are particularly vulnerable.
- Strong password policies and regular updates are crucial for protection.
MITRE Techniques :
- T1203 β Exploitation for Client Execution: Attackers exploited vulnerabilities in poorly managed MS-SQL servers.
- T1071 β Application Layer Protocol: Used to communicate over HTTP to download additional malware.
- T1068 β Exploitation of Elevation of Privilege Vulnerabilities: Utilized PetitPotato to escalate privileges for remote access.
- T1083 β File and Directory Discovery: Executed commands to collect information on system files and configurations.
Indicator of Compromise :
- [MD5 ] 1c9c3b4a2753ecab833621701e1b492c
- [MD5 ] 55f4a1393e2edafea92d7ebab09c92d6
- [MD5 ] 753f5e2fc5bdbc9b2175913d3b883580
- [MD5 ] b3b9eb83af47770dbb8e86f95afe9634
- [URL ] http[:]//1[.]220[.]228[.]82/aa_v3_protected[.]exe
Full Story: https://asec.ahnlab.com/en/87606/