Sophos MDR tracks STAC6451, a threat activity cluster exploiting exposed Microsoft SQL Server databases in India to deploy Mimic ransomware and establish backdoor accounts for lateral movement. The campaign uses xp_cmdshell for remote code execution, stages payloads via the BCP utility, leverages Cobalt Strike for C2, and automates reconnaissance across victims, remaining active. #MimicRansomware #STAC6451
Keypoints
- STAC6451 targets publicly exposed MSSQL databases on the Internet, including Indian organizations.
- Attackers brute-force default MSSQL credentials on port 1433 to gain access.
- xp_cmdshell is enabled to permit remote command execution from the SQL service.
- The BCP (Bulk Copy Program) utility is used to stage payloads and tooling in the compromised MSSQL database.
- Impacket is used to create backdoor accounts (e.g., “ieadm”, “helpdesk”, “admins124”, “rufus”) for lateral movement and persistence.
- Mimic ransomware deployment is observed, with Cobalt Strike for C2 and automated reconnaissance across victim environments.
- Recommendations include disabling xp_cmdshell, avoiding SQL server exposure to the Internet, and using application control to block tools like AnyDesk, Everything, Defender Control, and Sysinternals Secure File Delete.
MITRE Techniques
- [T1078] Initial Access – Brute Force – ‘Brute Force – Exploiting weak credentials on exposed MSSQL servers.’
- [T1203] Execution – Command and Scripting Interpreter – ‘Command and Scripting Interpreter – Using xp_cmdshell for command execution.’
- [T1136] Persistence – Create Account – ‘Create Account – Creating backdoor accounts for persistence.’
- [T1068] Privilege Escalation – Exploitation for Privilege Escalation – ‘Exploitation of Vulnerability – Using PrintSpoofer for privilege escalation.’
- [T1562] Defense Evasion – Obfuscated Files or Information – ‘Obfuscated Files or Information – Using Cobalt Strike obfuscation techniques.’
- [T1003] Credential Access – Credential Dumping – ‘Credential Dumping – Attempting to access LSASS memory credentials.’
- [T1486] Impact – Data Encrypted for Impact – ‘Data Encrypted for Impact – Deploying Mimic ransomware to encrypt files.’
Indicators of Compromise
- [Domain] C2 domains – windowstimes.online, jobquest.ph – used to host Cobalt Strike payloads and achieve command and control.
- [File name] Malicious payloads observed – Oto.exe, pp2.exe, Everything.exe, Build.txt, AD.exe, Sophosx64.exe – staged and deployed during the intrusion.