Microsoft SQL and MySQL database administrators are being warned to lock down their servers after security researchers discovered a campaign to infect them with a remote access trojan (RAT).
The discovery was made by South Korea-based Ahn Lab, which said in a blog this week that unnamed threat actors are taking advantage of databases with weak credentials to install the Gh0stCringe RAT.
Also known as CirenegRAT, it is one of the malware variants based on the code of Gh0st RAT, which was first discovered in December 2018, says the blog, and it is known to have been distributed via a vulnerability in Microsoft Server Messaging Block (SMB).
Gh0stCringe RAT is a remote access trojan that connects to an attacker’s command and control server, the blog says. The attacker can designate various tasks for Gh0stCringe, as they can with other RAT malware. These include the ability to copy itself to certain paths in Windows, turn on a keylogger, analyze Windows processes and download additional payloads.
“Considering the fact that MySQL servers are targets of attack in addition to MS-SQL servers, it can be assumed that Gh0stCringe targets poorly-managed DB servers with vulnerable account credentials,” say the researchers.
The logs of systems with Gh0stCringe installed show a history of infection from malware such as Vollgar CoinMiner that are distributed through brute force attacks, add the researchers.
Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, says the blog. They must also apply the latest patches to prevent vulnerability attacks. If a database server needs internet access, it should be protected by a firewall.