MySQL Databases Being Scanned For Infecting GandCrab Ransomware

A dedicated group of hackers is running a rather simplistic but persistent search for MySQL databases. Vulnerable databases are then targeted for installing ransomware. MySQL server admins who need access to their databases remotely need to be extra cautious.

Hackers are running a consistent search across the internet. These hackers, believed to be located in China, are looking for Windows servers that are running MySQL databases. The group is evidently planning to infect these systems with the GandCrab ransomware.

Ransomware is sophisticated software that locks out the true owner of the files and demands payment to send across a digital key. It is interesting to note that cyber-security firms have not seen any threat actor until now that has attacked MySQL servers running on Windows systems particularly to infect them with ransomware. In other words, it is uncommon for hackers to go looking for vulnerable databases or servers and install malicious code. The normal practice commonly observed is a systematic attempt at stealing data while trying to evade detection.

The latest attempt at crawling across the internet looking for vulnerable MySQL databases running on Windows systems was uncovered by Andrew Brandt, Principal Researcher at Sophos. According to Brandt, hackers seem to be scanning for internet-accessible MySQL databases that would accept SQL commands. The search parameters check if the systems are running Windows OS. Upon finding such a system, hackers then use malicious SQL commands to plant a file on the exposed servers. The infection, once successful, is used at a later date to host the GandCrab ransomware.

These latest attempts are concerning because the Sophos researcher managed to trace them back to a remote server that just might be one of several. Evidently, the server had an open directory running server software called HFS, which is a type of HTTP File Server. The software offered statistics for the attacker’s malicious payloads.

Elaborating on the findings, Brandt said, “The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there have been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory. So while this isn’t an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world”

It is reassuring to note that experienced MySQL server admins rarely misconfigure their servers, or worst, leave their databases without passwords. However, such instances are not uncommon. Apparently, the purpose of the persistent scans seems to the opportunistic exploitation of misconfigured systems or databases without passwords.

Alap Naik Desai
A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.