Microsoft SQL and MySQL database administrators are being warned to lock down their servers after security researchers discovered a campaign aimed at infecting them with a Remote Access Trojan (RAT).
The discovery was made by South Korea-based Ahn Lab, which said in a blog post this week that anonymous threat actors were taking advantage of databases with weak credentials to install the Gh0stCringe RAT.
Also known as CirenegRAT, it is one of the malware variants based on Gh0st RAT code, which was first discovered in December 2018, the blog states, and is known for have been distributed via a vulnerability in Microsoft Server Messaging Block (SMB).
Gh0stCringe RAT is a remote access Trojan that connects to an attacker’s command and control server, the blog states. The attacker can designate various tasks for Gh0stCringe, as he can do with other RAT malware. These include the ability to copy itself to certain paths in Windows, enable a keylogger, scan Windows processes, and download additional payloads.
“Considering that MySQL servers are attack targets in addition to MS-SQL servers, it can be assumed that Gh0stCringe is targeting poorly managed database servers with vulnerable account credentials,” the authors state. researchers.
Logs from systems where Gh0stCringe is installed show a history of infection by malware such as Vollgar CoinMiner which are distributed via brute force attacks, the researchers add.
Administrators should use hard-to-guess passwords for their accounts and change them periodically to protect the database server from brute-force attacks and dictionary attacks, the blog says. They should also apply the latest patches to prevent vulnerability attacks. If a database server needs Internet access, it must be protected by a firewall.