Andrew Brandt, a security expert working at Sophos, a network security company, discovered the move by Chinese hackers. He discovered unusual queries on the honeypot system (fake server system to attract and deceive hackers, to protect and prevent them from contacting the real system). In an email sent to ZDNet technology site, Brandt said that this was an “accidental discovery”.
Yesterday (May 24), the security expert posted his findings on a blog of Sophos, detailing hacker scans as well as malicious code that they downloaded to infected servers.
Rare but dangerous attack
Brandt described the hacker attack process as follows: They first scanned for vulnerable MySQL databases that allowed SQL commands to be executed. Then, they check if the database is on a Windows server. From there, they execute commands to download malicious files to GandCrab .
Since most administrators protect the MySQL server by setting a password, the purpose of the hacker this time is to scan for databases that are misconfigured, or without a password.
Brandt followed the process of scanning and spreading hacker malware on a honeypot server. This server installs a software called HFS that records the download of the hacker malicious code.
“The server has recorded more than 500 downloads of a file called 3306-1.exe. In addition, the hacker downloaded files called 3306-2.exe, 3306-3.exe, and 3306-4.exe, with the same code as the first file, “Brandt said.
According to this security expert, in the last 5 days, there have been more than 800 downloads of 3306-1.exe file. As of the previous week, there were 2,300 downloads of different files.
“This is not a large-scale attack, but it shows a high risk for the MySQL database server left open port 3306, making it possible for hackers to access and download malicious code to the computer,” he said. Brandt said.
Sophos’ security expert said that the attack by installing extortion codes (such as GandCrab) into a database server is very rare. Hackers often find ways to attack database servers to hack companies to steal valuable data or intellectual property, or use infected machines to dig virtual money, but they rarely install extortion code like GandCrab.