New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Unsecured Microsoft SQL, MySQL Servers Hit by Gh0stCringe Malware

Hackers are targeting poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe Remote Access Trojan (RAT) on vulnerable devices. Gh0stCringe, aka CirenegRAT, is a variant of Gh0st RAT malware that was most recently deployed in 2020 Chinese cyber-espionage operations, but dates as far back as 2018. In a new report by cybersecurity firm AhnLab, researchers outline how the threat actors behind GhostCringe are targeting poorly secured database servers with weak account credentials and no oversight. These attacks are similar to previous Microsoft SQL server attacks, which dropped Cobalt Strike beacons using the Microsoft SQL xp_cmdshell command. In addition to Gh0stCringe, AhnLab’s report mentions the presence of multiple malware samples on the examined servers, indicating competing threat actors are breaching the same servers to drop payloads for their own campaigns. Gh0stCringe RAT is a powerful malware that establishes a connection with the Command-and-Control (C2) server to receive custom commands or exfiltrate stolen information. The keylogging component uses the Windows Polling method (GetAsyncKeyState API) for querying the state of every key through an endless loop. This otherwise reliable logging method introduces the risk of suspiciously high CPU usage, but in poorly managed servers, this is unlikely to cause problems for the threat actors. The malware will also monitor the keypresses for the last three minutes and send them with basic system and network information to the malware’s C2 servers. These logged keystrokes will allow the threat actors to steal login credentials and other sensitive information that logged-in users entered on the device. CirenegRAT supports four operational modes, namely 0, 1, 2, and a special Windows 10 mode, selected by the threat actor during deployment. The modes configure how persistence is established via the modification of the Windows registry and the activation of the self-copy module. For example, mode #0 is running without persistence, while mode #2 establishes persistence and considers self-copy settings.

Analyst Notes

It is recommended to upgrade server software to apply the latest available security updates, which helps mitigate a range of attacks that leverage known vulnerabilities.
It is also essential to use a strong administrator password that is hard to guess or brute-force.
The most crucial step is to place the database server behind a firewall, allowing only authorized devices to access the server. Finally, monitor all actions to identify suspicious reconnaissance activity and use a data access control for data transaction policy inspection.