MySQL Servers Running On Windows Should Watch Out Of Ransomware

A security team from Sophos, a British security software and hardware company, has recently reported about a cyber attack targeting at MySQL servers. Despite no harm coming to the "honeypot" (a computer security mechanism), the attack still rings an alarming bell to the vulnerabilities of My SQL, raising risks of databases ransomware in the future.

How Do Hackers Attack MySQL?

The honeypot used by Sophos team recorded a Windows executable. That means the attack was executed on Windows systems.

At the first stage, hackers wrote some database commands on SQL to upload a small helper.dll (a malicious program designed to steal user data). A table, named yongger2 was then created, being filled out with a variable representing helper DLL. The DLL appeared to add three functions including xpdl3, xpdl3_init, and xpdl3_deinit to the database, which were relatively popular with current malicious toolkits.

After successfully infiltrating, the attackers infected database servers with a GandCrab payload (one of the most wide-spread ransomware-type viruses). The payload was controlled by a remote machine, which dropped GandCrab in C: drive with the name isetup.exe. That was when the malicious program started executing.

What Are The Possible Harms?

It is fortunate that the attack was detected in the right time due to some scrutiny of the URL. If not, MySQL servers running on Windows systems would be encrypted, creating lots of trouble for the owner.

While a large part of MySQL databases is protected with passwords, many of the owners are not aware of possible cyber attacks. That will become the playground for opportunistic exploitation.

Overall, there have been nearly 800 file downloads happening in five days on the recorded server. However, more than 2,300 downloads were counted on the others. Notably, this type of attack is extremely rare. It has warned MySQL admins against the server vulnerabilities which make databases reachable by the outsiders. In that case, hackers have a higher chance of stealing user data or secret intellectual property. It is also possible that they spread crypto-mining malware to the users' computing system.