FreeWorld ransomware attacks MSSQL—get your databases off the internet

When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.

Microsoft’s Remote Desktop Protocol has been a favourite point of entry for ransomware gangs for several years now. Cybercriminals seek out machines with RDP exposed to the internet and attempt to guess their passwords, hoping to gain entry. They like RDP because it gives them exactly the same access as sitting at a chair in front of the computer, and because there are millions of targets to choose from.

But other systems can be abused to gain entry in a similar way, and the Securonix Threat Research team reports that it has spotted attackers targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.

In an attack described by Securonix, attackers brute forced a MSSQL password and then used the database’s xp_cmdshell feature to run commands on the host machine the database was running on.

Next, discovering that the MSSQL function xp_cmdshell stored procedure was enabled, the attackers began running shell commands on the host. This function allows for command execution and should normally not be enabled unless required.

The attackers used this ability to run commands on the host machine to try to give themselves RDP access. When that failed, they used AnyDesk remote access software instead. From there they explored the network the server was running on, before ultimately running FreeWorld ransomware. Securonix provide a detailed breakdown of the precise steps taken by the attackers, and its article is well worth reading.

The attack is a timely reminder of an old security adage, one that’s at least as old as the 25 years or so I’ve been messing around with databases: Never expose your databases to the internet. Typically, databases contain sensitive information that should be at the centre of your network and not the periphery, and that should only be accessbile to internal systems. Where data needs to be accessed from the internet it should be made available via an application or API.

Although the situation is much improved now, historically some databases made the situation worse by shipping with default passwords, or even no authentication at all.

As I mentioned before, one of the things that attracts attackers to RDP is the large number of available targets, so I wondered how many databases I could find via Shodan, the search engine that finds internet-connected computers.

For comparison, every time I’ve looked in the last five years or so, there have been around two or three million computers running RDP accessible via Shodan, meaning that attackers have two to three million targets to choose from.

Finding databases on the internet

The first database I looked up was MSSQL, the target in the attack spotted by Securonix. A simple search on Shodan found almost 90,000 potential targets. Although there are seemingly far fewer internet-exposed computers running MSSQL than RDP, a server running MSSQL is likely to be a far higher value target than a desktop running RDP.

Anything connected to the internet should expect to be the subject of relentless password guessing, and these are no exception.

Next up was MongoDB, a “noSQL” database that has been the subject of significant ransomware campaigns in the past. Historically, some configurations of MongoDB made it possible to install it without setting a password, and attackers made hay with those.

The problem was so serious that in 2017, the MongoDB website published an article called How to Avoid a Malicious Attack That Ransoms Your Data, reminding its users to use the product’s security features.

Evidently, plenty of people didn’t read it and in 2020, an automated ransomware campaign dropped ransom notes on 22,900 databases left exposed without a password. At the time this was said to represent 47% of internet-connected MongoDB databases.

Those mass exploitation events are a thing of the past, but according to Shodan there are now almost 110,000 MongoDB databases connected to the internet for potential attackers to probe.

Next I searched for MySQL, the world’s most popular database. Shodan found more than three million servers running MySQL, giving it parity with RDP in terms of the total number of potential targets. Alongside those there are a further 800,000 instances of the MySQL fork, MariaDB, making a huge, four million-strong pool of targets.

MySQL and MariaDB often act as the source of data for websites, rather than as an enterprise data store like MSSQL, so may carry less business-critical data, but they still represent a prize, and a potential entry point into a network.

While there are exceptions to every rule, it’s always good to start with the assumption that you should probably follow the rule. It remains good advice to keep your databases off the internet, so think long and hard before you decide that’s the right solution. And whether they are on the internet or not, databases should always be secured with an exceptionally strong password.