In December 2022, there was a significant cyberattack involving the BlueSky ransomware, which was facilitated through a brute force attack on a public-facing Microsoft SQL Server (MSSQL). This attack demonstrates a sophisticated approach employed by cybercriminals to compromise network security. Here's an overview of the incident based on various sources:
Brute Force Attack Methodology: The attack initiated with a brute force attack on a public-facing MSSQL Server. This method involved repeatedly trying different passwords or keys until the correct one was found. Within just an hour of gaining access, the threat actors deployed the BlueSky ransomware across the network.
BlueSky Ransomware Characteristics: BlueSky ransomware, first discovered in June 2022, has links to the well-known Conti and Babuk ransomware. This suggests that the BlueSky ransomware could share similar code or operational strategies with these established ransomware families, indicating a high level of sophistication and potential impact.
Utilization of Cobalt Strike and Tor2Mine: The campaign involved the use of Cobalt Strike and Tor2Mine by malicious actors. Cobalt Strike is a legitimate penetration testing tool that's often misused by attackers for network reconnaissance and to maintain access to compromised systems. Tor2Mine refers to a miner that uses the Tor network, typically for cryptocurrency mining. The combination of these tools indicates a multifaceted approach to compromise and exploit the network further after the initial breach.
Surreptitious Approach by Operators: BlueSky’s operators adopted a more covert approach compared to typical ransomware attacks that rely on malware downloads for initial access. This strategic choice for a SQL brute force attack underlines the threat actors' intent to discreetly infiltrate and control the network system without early detection.
This incident highlights the critical importance of robust cybersecurity measures, especially for systems that are publicly accessible. The swift deployment of ransomware following network access underlines the need for immediate detection and response capabilities to mitigate the impact of such cyber threats.
IoC
HOSTNAME
- asq.r77vh0.pw
- asq.d6shiiwz.pw
- asd.s7610rir.pw
URL
- https://asq.r77vh0.pw/win/hssl/r7.hta
- https://asq.d6shiiwz.pw/win/hssl/d6.hta
- https://asd.s7610rir.pw/win/checking.hta
- http://asq.r77vh0.pw/win/checking.hta
IPv4
- 83.97.20.81
- 5.188.86.237
SHA256
- f955eeb3a464685eaac96744964134e49e849a03fc910454faaff2109c378b0b
REFERENCES
- https://gadgetmates.com/understanding-the-risks-sql-brute-force-attacks-leading-to-bluesky-ransomware#:~:text=The%20attack%20began%20with%20a%20brute%20force%20attack,threat%20actors%20deployed%20BlueSky%20ransomware%20across%20the%20network.#:~:text=The%20attack%20began%20with%20a,BlueSky%20ransomware%20across%20the%20network
- https://www.hivepro.com/threat-advisory/from-brute-force-to-bluesky-ransomware/#:~:text=Summary%3A%20A%20focused%20campaign%20directed,Report%20Page%3A%20Unexpected%20server%20response
- https://securityonline.info/mssql-server-vulnerability-exploited-in-bluesky-ransomware-attack/#:~:text=The%20incident%20in%20question%20transpired,specifically%20aiming%20at%20the
- https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/#:~:text=SQL%20Brute%20Force%20Leads%20to,to%20Conti%20and%20Babuk%20ransomware
- https://otx.alienvault.com/pulse/65707ab6e66cbcb43bd4f250
TAGS
et info, cobalt strike, tor2mine, powershell, xpcmdshell, sql server, m2 et, mssql server, conti, smbexec, sliver, bianlian, metasploit, empire, havoc, comspec, shell, daphne
No comments:
Post a Comment