Security researchers from security firm GuardiCore Labs have discovered multiple attack conducted by an established criminal group that operates worldwide.
The hacker group targeted and has hacked thousands of Database servers to get their hands on users' personal data, build an army of DDoS botnet and also mine cryptocurrencies. According the the research, the group has used at least three attack variants - Hex, Hanako, and Taylor - to infiltrate MS SQL and MySQL servers for both Windows and Linux.
The goals of these three 'hex-men' are different:
Hex installs cryptocurrency miners and remote access trojans (RATs) inside infected machines, Taylor installs a keylogger and creates a backdoor, and Hanako uses the infected devices in order to build a DDoS botnet.
To gain access to the targeted Database Servers, the hackers initiated brute force attacks to cripple the system, and then run a series of predefined SQL commands in order to gain persistent access and evade logs. The attackers use a network of already compromised systems to launch further attacks against database servers for them to serve malicious files.
This strategy makes the attacks modular, making security attempts difficult to work against them.
At the moment of discovery, the researchers have found hundreds of Hexes and Hanakos, and tens of thousands of Taylor attacks each month, with most compromised machines coming from China, followed by the U.S., Thailand, Japan, Vietnam, India, Brazil, Korea, Turkey and Mexico.
According to The Hacker News, the trio Hex, Taylor and Hanako create backdoor users directly inside the targeted database and open the Remote Desktop port. This allows the attackers to remotely download and install cryptocurrency miner, Remote Access Trojan (RAT) and a DDoS bot.
"Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands," the researchers wrote in their blog post. "The anti-virus targeted is a mixture of well-known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard."
The researchers have learned that he attackers often compromise public and private cloud deployments, without chasing any specific domain.
But determining the scope of the campaign is difficult, because the group has shown the ability to generate over 300 unique binaries per each attack and to constantly rotate their attacking machines and domains, while at the same time, manipulating thousands of victims as part of their attack infrastructure.
And to cover their tracks, the attackers delete any unnecessary registry, file, and folder entry using predefined files and Visual Basic scripts.
However, administrators can check whether they have been hacked.
One way is to see whether the following usernames exist in their database or system: hanako, kisadminnew1, 401hk$, Guest and Huazhongdiguo110.
And for administrators to prevent the hackers in compromising their systems, the researchers advised them to always follow the databases hardening guides that are provided by both MySQL and Microsoft, and to never rely solely on strong passwords.
The best way to minimize the exposure to the attacks is to know and control those that have the access to the database. Routinely review the list of machines that have access to the databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet.
Every connection attempt from an IP or domain that does not belong to the list should be blocked and investigated.
"While defending against this type of attacks may sound easy or trivial—'patch your servers and use strong passwords'—we know that 'in real life' things are much more complicated. The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database," advised the researchers.