A series of cyber-campaigns, jointly known as the Hex-Men Trio, that specifically target SQL Servers in order to use them to conduct additional attacks has been identified by Guardicore Labs.
The three variants, Hex, Taylor and Hanako, first appeared in March 2017 on Guardicore's sensor network and now conducts thousands of attacks per day targeting MS SQL Server and MySQL services, Guardicore reported. Once ensconced on a compromised server the attackers went to work having the computer conduct cryptocurrency mining operations, DDoS attacks and for implanting thousands of Remote Access Trojans.
“So far, we were able to identify three different campaigns launched from this infrastructure. The campaigns differ mostly in target goals. While Hex focuses on installing cryptocurrency miners and remote access trojans and Taylor installs a keylogger and a backdoor, Hanako uses its victims to build a DDoS botnet. So far, we have monitored hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month,” Guardicore said.
Guardicore believes a Chinese crime group is behind the attacks.
China has borne the brunt of the attacks with the United States, Thailand and Japan being the next favoured targets. To help stay undetected each attack only targets a few IPs and each compromised server is only used for about a month before being retired.
The best defence against the Hex-Men Trio is to keep security up to date by installing patches and keep to a minimum the number of machines that have access to a database.