Author: Robert Agar
A constant in the computing world is that it is always evolving and offering new challenges and opportunities. Software solutions come and go with some becoming staples in the business community while others barely cause a ripple as they disappear into the ether. Take MySQL as an example. From its humble beginnings in 1994, the platform has grown to become the most popular SQL database in 2019. If you are a database professional, chances are very good that you work with MySQL regularly.
The popularity of the database platform has not gone unnoticed by the unscrupulous entities that engage in cybersecurity attacks with nefarious intentions. Whether acting as individuals or combining forces into rogue teams, cybercriminals are always looking for new and ingenious ways to cause havoc with your IT environment. Their intrusions can take many forms, from implanting malware in an attempt to steal login credentials to randomly deleting data on your systems.
A particularly nasty type of cyberattack is carried out by ransomware. This is a specific form of malware whose goal is to encrypt the data on an infected computer. This makes the data inaccessible to users and can cripple an organization. The criminals behind the attack claim they will unencrypt the data if their financial demands are met. Paying the ransom may or may not get your data back. Remember, you are dealing with criminals and their word is not to be trusted.
Targeted MySQL Ransomware Attacks
In recent years, MySQL databases have become a target for cybercriminals wielding ransomware. The large installed base of the software provides many potential victims of financial blackmail. Even if only a fraction of the attacks are successful, the criminals stand to take down a lot of systems and possibly make some serious money.
Recently, MySQL servers began being hit with attacks trying to implant a ransomware weapon known as GandCrab. The perpetrators behind the ransomware have been targeting specific environments in attempts to thwart defensive actions. As of March 2018, over 50,000 machines have been infected with the majority of targets being systems located in the US and UK.
Security experts at Sophos have researched the GandCrab malware and have made some interesting discoveries. For one, though the IP address of the server hosting the sample of the code under study is in Arizona, the user interface of the HFS installation is in simplified Chinese. This suggests that there may be an international cybercriminal team behind these attacks who have compromised a US server.
The security firm used a honeypot designed to lure hackers so their tools can be studied and appropriate defenses developed. They were listening on the default TCP port for MySQL servers which is 3306. The attack was executed in stages with the first step verifying that the database server in question was running MySQL.
Once that was determined, the set command was used to upload the bytes to construct a helper DLL. The DLL was used to add three malicious functions to the database. These functions were employed to download the GandCrab payload from a remote machine and place it in the root of the C: drive with the name isetup.exe and then executed the program.
At this point, your system has been infected and your files will be encrypted. Hopefully, you have a robust backup and recovery policy and can recover your system without resorting to acceding to the ransom demands.
Hackers are searching for MySQL logins that are not properly protected. This may be due to a weak password or in some egregious cases, no password at all. Failure to protect your MySQL database may allow hackers to turn it into a launching pad for malware. Some suggestions for protecting your MySQL servers from ransomware are to:
- Insist on strong passwords.
- Eliminate the ability to directly access your MSQL servers from the Internet.
- Monitor your MySQL control settings.
Keeping Tabs on Your Systems is a Crucial Defensive Tactic
Possessing insight into the operation of your MySQL servers provides a baseline from which you can discover discrepancies and unusual behavior. Monitoring supplies the perfect vehicle for this practice and can be useful in many areas of database administration. It can identify effective optimization initiatives and help you to increase user satisfaction with your systems. It can also be instrumental in alerting you to any suspicious activity which may indicate you are being attacked.
SQL Diagnostic Manager for MySQL provides a comprehensive monitoring application that can address all aspects of your MySQL environment. It includes over 600 pre-built monitors that return information on security, excessive privileges, and connection history among many other important details pertaining to your MySQL instance. Set alerts which trigger when thresholds are met that warrant your attention and may help you keep your systems safe from cybercriminals.
Rest assured that GandCrab is not the last attempt to exploit vulnerabilities that are bound to be discovered in MySQL. Start monitoring your systems today to track changes in activity and access that might keep the bad guys at bay.