Saturday, May 21, 2022

Database administrators urged to tighten security against RAT

Microsoft SQL and MySQL database administrators are being warned to lock down their servers after security researchers discovered a campaign to infect them with a remote access trojan (RAT).

The discovery was made by South Korea-based Ahn Lab, which said in a blog this week that unnamed threat actors are taking advantage of databases with weak credentials to install the Gh0stCringe RAT.

Also known as CirenegRAT, it is one of the malware variants based on the code of Gh0st RAT, which was first discovered in December 2018, says the blog, and it is known to have been distributed via a vulnerability in Microsoft Server Messaging Block (SMB).

Gh0stCringe RAT is a remote access trojan that connects to an attacker’s command and control server, the blog says. The attacker can designate various tasks for Gh0stCringe, as they can with other RAT malware. These include the ability to copy itself to certain paths in Windows, turn on a keylogger, analyze Windows processes and download additional payloads.

“Considering the fact that MySQL servers are targets of attack in addition to MS-SQL servers, it can be assumed that Gh0stCringe targets poorly-managed DB servers with vulnerable account credentials,” say the researchers.

The logs of systems with Gh0stCringe installed show a history of infection from malware such as Vollgar CoinMiner that are distributed through brute force attacks, add the researchers.

Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, says the blog. They must also apply the latest patches to prevent vulnerability attacks. If a database server needs internet access, it should be protected by a firewall.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.