Thousands of organizations running MySQL may have been infected with the infamous GandCrab ransomware after researchers spotted a new campaign targeting the open source database.
Sophos principal researcher, Andrew Brandt, explained in a blog post that the British security firm spotted the attack via a honeypot set up to monitor port 3306, used for SQL servers.
It scanned for unsecured databases running on Windows servers.
Interestingly, while the IP address of the machine hosting GandCrab geolocated to Arizona, the user interface of the server software (HFS) running on it was set to simplified Chinese, hinting at the origins of the perpetrator.
That server hosted five Windows executables with file names starting “3306,” and also provided useful stats on the campaign so far.
“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” explained Brandt.
“So while this isn’t an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world.”
MySQL has a market share of over 50%, putting many organizations at potential risk of a damaging GandCrab infection.
The ransomware has been used in an increasingly targeted manner over recent months, with hackers trying out different threat vectors in a bid to outwit defenses.
In February it was spotted as the payload in a campaign targeting MSPs via a two-year-old flaw in a third-party plug-in for remote management software.
As of March 2018, GandCrab had infected over 50,000 victims and extorted an estimated $300,000-600,000, with over 70% of victims based in the US and UK, according to Check Point.