11/24/2023 0 Comments Desktopok vulnerabilities![]() ![]() The CLR SqlShell that has been confirmed during the Trigona ransomware attacks does not have a command execution routine, but it supports functions such as privilege escalation (MS16-032) vulnerability exploitation, information gathering, and user account configuration. xp_cmdshell commands may be used for malicious behavior, but the ExecCommand() method of this CLR SqlShell, evilclr.dll, is used when downloading additional payloads. LemonDuck also targets MS-SQL servers for internal network propagation and malicious behavior is performed after logging into the sa account which is obtained through scanning and dictionary attacks. LemonDuck is an example of a malware strain that uses this CLR SqlShell. CLR SqlShell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers. However, threat actors can abuse this to add and use malicious functions. This feature was originally used to provide expanded features on SQL servers. In MS-SQL environments, there are many methods to execute OS commands besides the xp_cmdshell command, and one of them includes the use of the CLR extended procedure. CLR SqlShell malware detected alongside the Trigona ransomware In addition, this CLR SqlShell malware is confirmed to have a routine that exploits privilege escalation vulnerabilities, which is believed to be due to the high privileges required by Trigona as it operates as a service.įigure 2. Although multiple malware logs were confirmed together, the basis for this assumption comes from the time-based similarity with the timing of the ransomware attacks and the fact that it was present in most of the systems where Trigona attacks were carried out. It is presumed that the threat actor first installs the CLR SqlShell malware before installing Trigona. This means that multiple threat actors have already obtained the account credentials, and as a result, the detection logs of various ransomware such as Remcos RAT and CoinMiners have been found. The system currently subject to analysis is an environment where an externally exposed MS-SQL server has been installed and assumed to have inappropriate account credentials. Statistics for ransomware types used to attack MS-SQL servers When it comes to ransomware, Mallox and GlobeImposter are the most used. Most malware types can be used in these attacks, including Trojans, backdoors, CoinMiners, and ransomware. ASEC Report is also sharing quarterly statistics of information including the number of attacks and malware used in attacks. Because of this, Windows servers and Windows desktop environments can both be targeted for MS-SQL Server attacks.ĪSEC is monitoring attacks against poorly managed MS-SQL servers. For example, there are cases where MS-SQL is installed alongside certain ERP and work-purpose solutions during their installation process. If a threat actor manages to log in, control over the system will be passed to them, allowing them to install malware or execute malicious commands.Īdditionally, MS-SQL can be installed on both Windows servers and desktop environments. Poorly managed MS-SQL servers typically refer to those that are exposed to external connections and have simple account credentials, rendering them vulnerable to brute force or dictionary attacks. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware. Posted By Sanseo, ApTrigona Ransomware Attacking MS-SQL ServersĪhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |