Hackers infect MySQL servers with GandCrab ransomware

Web application security course specialists report an attack campaign deployed by a group of Chinese hackers, which are looking for Windows servers running MySQL databases to infect them with the ransomware variant known as GandCrab.

Members of the cybersecurity community claim that this attack vector had not been detected before. “The most common thing for hackers is to search for database servers to infiltrate organizations’ systems to inject cryptocurrency mining malware or steal confidential information, not to deploy ransomware attacks,” the experts mentioned.

The specialists who detected this attack campaign mentioned that, in somehow, the discovery was kind of circumstantial. In their report, web application security course experts mentioned that hackers scan the Internet to locate accessible databases online to inject malicious SQL commands into compromised servers, infecting the host with the aforementioned ransomware variant.

Most MySQL servers have certain protection measures, such as passwords, which is why attack campaign operators are carrying that exhaustive analysis, because it is quite probable that they can find unprotected databases with erroneous security configurations.

Taking as a reference the hackers’ mode of operation, web application security course experts consider it to be a group of threat actors with advanced capabilities, knowledge and extensive resources at their disposal; however, there is still no evidence of successful attacks.

The experts discovered that the attacks originated from an open directory remote server running software known as HFS, which shows the download statistics of malicious loads from hackers. “According to the data collected, the malicious load has been downloaded more than 500 times”, mentions the experts’ report.

According to the specialists from the International Institute of Cyber Security (IICS), this is not a campaign too ambitious or wide-ranging, but it can generate serious consequences for the administrators of MySQL servers that do not count on the security configurations required to prevent malicious code injection through port 3306.