Attackers target rare, but juicy, exposed MySQL DBs
Brandt said hackers would scan for internet-accessible MySQL databases that would accept SQL commands, check if the underlying server would run on Windows, and then use malicious SQL commands to plant a file on the exposed servers, which they'd later execute, infecting the host with the GandCrab ransomware.
While most system administrators typically protect their MySQL servers with passwords, the purpose of these scans appeared to be the opportunistic exploitation of misconfigured or passwordless databases.
According to Brandt, the hackers appeared to have been quite prodigious, while not entirely clear if they were successful.
The Sophos researcher tracked these attacks back to a remote server, which had an open directory running server software called HFS, which exposed download stats for the attacker's malicious payloads.
"The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file," Brandt said.
"Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.
"So while this isn't an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world," he said.
As Brandt points out, these types of attacks are very rare. Hacker groups usually scan for database servers to infiltrate companies and to steal their data or intellectual property, or to plant crypto-mining malware [1, 2].
Instances where a hacker group deploys ransomware are rare.
Fun and functional Raspberry Pi accessories (July 2019 edition)