GandCrab Campaign Attacks MySQL Servers (May 28, 2019)
Sophos researchers have discovered that threat actors distributing the “GandCrab” ransomware are targeting “MySQL” servers. Researchers observed that the IP address hosting the machine that itself was hosting GandCrab was located in the US state of Arizona. However, the “user interface of the server software (HFS) running on it was set to simplified Chinese,” which may indicate that the actors behind this campaign are located in China. These attacks are scanning for port “3306” in MySQL database server, which is the default listening port for TCP/IP, according to MySQL documentation.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.