Cyber Security News

Data Center Ransomware Attacks on Rise: Microsoft SQL Server is Prime Target

Ransomware threats are increasingly targeting data center servers and workloads as the initial step in the attack chain.

These systems may not be up-to-date with recommended patches, often run legacy applications without vendor security updates, or may not be scheduled for patch updates to maintain business continuity.

As a result, data centers face a high risk of cyber attacks and ransomware activities.

Microsoft SQL Server – a Prime Target

Database workloads host sensitive data and power mission-critical business services, making them valuable targets for ransomware actors to steal data and extort a ransom by encrypting critical data files.

Microsoft SQL Server is one of the most popular databases deployed globally and an irresistible target for ransomware.

This is primarily because it is deployed on Windows, where attackers have abundant malware tools at their disposal to use as payloads and some that can be leveraged by living off the land.

Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Broadcom has recently released a blog post that brings attention to the increasing number of ransomware attacks targeting data centers, mainly Microsoft SQL Server.

Poorly configured SQL servers and weak admin passwords allow brute force attacks or SQL injection, enabling unauthorized access and data exfiltration.

Compromised systems may then be used as access points to be sold to other parties or for installing additional malicious payloads, ultimately for data exfiltration or financial extortion.

Notable Cyber Threat Activity against Microsoft SQL Server

  • Mimic ransomware, where the initial access was obtained by brute force on exposed Microsoft SQL servers
  • Mallox ransomware, where the initial access attempts were made using a dictionary brute force attack, followed by cmd shell execution for further activities
  • CLR SQLShell, similar to the xp_cmdshell stored procedure used to execute shell commands on Microsoft SQL servers
  • CL0P ransomware exploited a SQL injection zero-day vulnerability CVE-2023-34362 in the MOVEit file transfer application to install a web shell named LEMURLOOT
  • Freeworld ransomware, a new variant of Mimic, is also accessed by brute force on unsecured Microsoft SQL servers.
  • Bluesky ransomware also gained initial access from brute force login to the same account and then enabled the xp_cmdshell stored procedure to execute shell commands

The DCS solution includes network controls, software execution control, software install restrictions, operating system restrictions, process access control, and protected app control, all of which work together to provide zero-day protection against the latest ransomware threats.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP


Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

3 hours ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

3 hours ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

5 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

7 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

11 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

1 day ago