STAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations

A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.

This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.

The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.

This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.

STAC6451 attacks Flaw

Initial Access and Exploitation

STAC6451 primarily targets Microsoft SQL (MSSQL) servers exposed to the Internet. These servers often have weak or default credentials, making them susceptible to brute-force attacks.

Once access is gained, the attackers enable the xp_cmdshell stored procedure, which allows command line execution through the SQL service.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This critical step enables attackers to execute their code and implant malicious payloads into the SQL database. The attackers exploit SQL servers’ default TCP/IP port (1433), which, if left exposed, can be easily targeted.

Using simple account credentials, they carry out brute-force attacks to gain unauthorized access. This method highlights the importance of securing SQL servers with strong, complex passwords and limiting their exposure to the internet.

Discovery and Staging

Once access is secured, the attackers execute discovery commands to gather information about the system. These commands include retrieving the version, hostname, available memory, domain, and username context.

ver & hostname
wmic computersystem get totalphysicalmemory
wmic os get Caption
wmic os get version
wmic computersystem get domain
whoami

The execution of these commands is often automated, indicating a high level of sophistication in the attack.

Staging Malicious Payloads

The attackers use the Bulk Copy Program (BCP) utility to stage additional payloads and tools. This command-line tool copies data between an SQL instance and a file.

By embedding their payloads in the MSSQL database, the attackers can create local files from the malware and tools saved in the database. This method allows them to stage various tools, including AnyDesk for remote access, batch scripts, and PowerShell scripts.

Creating User Accounts

The attackers create various user accounts across victim environments to facilitate lateral movement and maintain persistence.

These accounts are added to the local administrator and remote desktop groups, giving the attackers elevated privileges.

Using automated scripts to create these accounts simultaneously across multiple networks indicates a coordinated effort to compromise numerous victims.

The attackers use AnyDesk, a remote desktop application, for initial command and control. Installing AnyDesk on compromised systems allows them to maintain remote access and continue their malicious activities undetected.

PrintSpoofer and Cobalt Strike

The attackers deploy a privilege escalation tool called PrintSpoofer, which exploits weaknesses in the Windows spooler service to gain elevated privileges.

Additionally, they use Cobalt Strike, a legitimate penetration testing tool, for command and control (C2) operations. The attackers can establish C2 connections and execute malicious payloads by deploying a unique Cobalt Strike loader.

One of the STAC6451 cluster’s primary objectives is to deploy ransomware. The attackers use the BCP utility to write a ransomware launcher to disk.

They also use AnyDesk to execute batch scripts that launch the ransomware, which encrypts victim files and demands a ransom for decryption.

Targeting Indian Organizations

Sophos MDR has observed STAC6451 explicitly targeting organizations in India across multiple sectors.

The simultaneous execution of identical scripts and uniform tempo of activity across different target environments suggests that the attackers are automating various stages of their attack to exploit and compromise multiple victims swiftly.

While the attackers have been observed deploying Mimic ransomware, their activities also include data collection and likely exfiltration.

This dual approach indicates a financially motivated operation with the potential to make ransom payments and sell stolen data.

Recommendations for Organizations

Securing SQL Servers – Organizations must ensure their SQL servers are not exposed to the internet without proper security measures. Complex passwords should be used intensely, and the xp_cmdshell feature should be disabled unless necessary.

Monitoring and Detection – Implementing robust monitoring and detection systems can help identify and mitigate attacks in their early stages. Tools like Sophos MDR can provide valuable insights and protection against such sophisticated threats.

Regular Security Audits – Regular security audits and vulnerability assessments can help organizations identify and address potential system weaknesses. This proactive approach is essential in staying ahead of evolving threats like STAC6451.

The STAC6451 threat activity cluster represents a significant risk to organizations worldwide, particularly those with exposed SQL servers.

By understanding the tactics, techniques, and procedures employed by these attackers, organizations can better protect themselves and mitigate the impact of such attacks.

As cybersecurity threats evolve, staying informed and vigilant is crucial in safeguarding digital assets and maintaining operational integrity.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The post STAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.