Adrian Johnson
TLDR:
- Hackers are exploiting MS-SQL servers to deploy Mallox ransomware, targeting organizations storing sensitive information.
- Cybersecurity researchers at Sekoi discovered the active exploitation and technical analysis of the attacks.
Information stored on MS-SQL servers, such as financial records and customer information, makes them lucrative targets for hackers. Weak passwords, unpatched vulnerabilities, and misconfigurations make these servers susceptible to automated scanning and exploitation tools. Cybersecurity researchers at Sekoi recently uncovered a trend where hackers are actively exploiting MS-SQL servers to deploy Mallox ransomware.
The researchers found that an MS-SQL honeypot deployed on April 15th was quickly compromised through brute-force attacks on the weak “sa” account. Attackers used MS-SQL exploits to deploy Mallox ransomware using PureCrypter. This ransomware-as-a-service operation distributes various variants of the Mallox ransomware, known for double extortion attacks.
Mallox operators exploit MS-SQL server vulnerabilities, brute-force weak credentials, and leverage phishing for initial access. The ransomware evolved from a tier group operation to a RaaS model, recruiting affiliates on forums like RAMP. It uses evasion techniques like environment detection and privilege adjustments. Mallox has impacted various sectors, including manufacturing and retail, utilizing data exfiltration and triple extortion strategies.
The technical analysis by Sekoi revealed the deployment flow of Mallox ransomware, showing how attackers loaded the ransomware using PureCrypter. The attackers exploited MS-SQL gaps during the initial compromise to infiltrate the organization’s network. This discovery sheds light on the importance of securing MS-SQL servers to prevent ransomware attacks and data breaches.
