SOC Incident Toolkit
Back to Campaigns
Threat Actors Deploy FreeWorld Ransomware by Hijacking MSSQL Servers on DB Jammer

Threat Actors Deploy FreeWorld Ransomware by Hijacking MSSQL Servers on DB Jammer

MSSQLCobalt StrikeDB#JAMMERFreeWorld

Threat actors working as part of DB JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.

Indicators of Compromise

Hashes (27)

CD5A2EC1A95D754EE5189BFEE6E1F61C76A0A5EE8173DA273E02F24A62FACCFA11259F77F4E477CD066008FBFC7C31D5BBDC9EF708C4B255791EE380999A725CC576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E80BF2731A81C113432F061B397D70CAC72D907C39102513ABE0F2BAE079373E4BEC3F75F638025A5FE3B8D278856FD273999C49AE7543C109205879B59AFC4C3867143A1C945E7006740422972F670055E83CC0A99B3FA71B14DEABABCA927FE947AFAA9CD9C97CABD531541107D9C16885C18DF1AD56D97612DDBC628113AB59D576CD022301E7B0C07F8640BDEB55E76FA2EB38F23E4B9E49E2CDBA5F8422D8937A510446ED36717BB8180E5E4665C0C5D5BC160046A31B28417C86FB1BA0F68ED5F4B4EABD66190AE39B45FFF0856FBA4B3918B44A6D831A5B9120B48A1E9F9F6C453DA12C8FF16415C9B696C2E7DF95A46E9B07455CD129CE586B954870D42396CE27E22BE8C2F0620EE61611D7F86DFE9543D2F2E2AF3EF5E85613CEE320A2CFFFB353B1F14DD696F8E86EA453C49FA3EB35F16E87FF13ECDF875206897BD1C3303D13CADF8BBD6200597E9D365EC3C05F1F48052CD47DCD69E77C94378A3D865789D2BAE26726B6169C4639161137AEF72044A1C01647C521F09DF2E162D27F57B4F193A563443ACC7FE0CBF611F4FF0F1171FCBDF16C3ECEF8F9DBEDBE93F3C72A0D605EF0D81E2421CCA19534147DBA0DDED2EE29048B7C2EB11B20A08F827A63228D7BCD0D02DD131C1AE29BC1D9C3619BE67EA99D8A62440BE57AB75975B0C890F804DAB19F68D7072F8C04C5FE5162D2A4199448FC0E1AD03690B4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405+7 more

IPv4 (1)

45.148.122.63

Notes

<span id="docs-internal-guid-83bcb4e6-7fff-9087-80b2-4cf17b0e50f2"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">CONCLUSIONS:</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Since the attack is launched via brute force attacks, it is important to use strong and complex passwords, especially on publicly exposed services and set rate limits for login attempts. Furthermore, it is advised to leverage a trusted VPN for remote access to services. Additionally, organizations can reduce their attack surface associated with MS SQL services by addressing the flaws or by limiting their exposure to the internet.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><br></span></div></span>

Mitigation

<div><b>MITRE ATT&amp;CK matrix</b></div><div><span id="docs-internal-guid-ec6b37cf-7fff-bc3f-a473-562124b9b3a3"><h3 style="line-height: 2.21538; margin-top: 0pt; margin-bottom: 11pt;"></h3><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><tbody><tr style="height:23.25pt;"><td style="border-bottom:solid #dddddd 0.6000000000000001pt;vertical-align:middle;background-color:#dabbf6;padding:4pt 8pt 4pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13.5pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Tactic</span></p></td><td style="border-bottom:solid #dddddd 0.6000000000000001pt;vertical-align:middle;background-color:#dabbf6;padding:4pt 8pt 4pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13.5pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Technique</span></p></td></tr><tr style="height:26.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Initial Access</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1110: Brute Force</span></p></td></tr><tr style="height:26.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Discovery</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1046: Network Service Discovery</span></p></td></tr><tr style="height:80.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1112: Modify Registry</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1562.001: Impair Defenses: Disable or Modify Tools</span></p></td></tr><tr style="height:80.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Persistence</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1098: Account Manipulation</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1505.001: Server Software Component: SQL Stored Procedures</span></p></td></tr><tr style="height:80.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Credential Access</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1003: OS Credential Dumping</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1110.001: Brute Force: Password Guessing</span></p></td></tr><tr style="height:26.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Lateral Movement</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1021.001: Remote Services: Remote Desktop Protocol</span></p></td></tr><tr style="height:152.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Control</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1105: Ingress Tool Transfer</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1572: Protocol Tunneling</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1573.001:&nbsp; Encrypted Channel: Symmetric Cryptography</span></p><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:18pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1219: Remote Access Software</span></p></td></tr><tr style="height:26.25pt;"><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Exfiltration</span></p></td><td style="border-bottom: 0.6pt solid rgb(221, 221, 221); border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1567: Exfiltration Over Web Service</span></p></td></tr><tr style="height:25.5pt;"><td style="border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Impact</span></p></td><td style="border-top: 0.6pt solid rgb(221, 221, 221); vertical-align: top; padding: 4pt 8pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(51, 51, 51); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1486: Data Encrypted for Impact</span></p></td></tr></tbody></table></div></span></div><div><br></div>