Short Summary:
AhnLab Security Intelligence Center (ASEC) has reported on an attack involving MS-SQL servers, where threat actors exploited weak credentials and installed GotoHTTP, a remote control tool, to gain unauthorized access and control over the systems.
Key Points:
- AhnLab ASEC monitored MS-SQL servers and identified an attack using GotoHTTP.
- Remote control tools like AnyDesk and GotoHTTP can be misused for unauthorized access.
- The attack targeted MS-SQL servers with weak account credentials.
- CLR SqlShell was installed to execute commands and gather system information.
- Privilege escalation tools such as PetitPotato and JuicyPotato were used.
- Backdoor accounts were created for future remote access.
- GotoHTTP allows remote control once the “Computer Id” and “Access Code” are known.
- Recommendations include using strong passwords and updating security software to prevent such attacks.
MITRE ATT&CK TTPs – created by AI
- Remote Access Tools (T1219)
- Threat actors used GotoHTTP for remote control of the infected system.
- Credential Dumping (T1003)
- Commands like ‘whoami.exe’ and ‘systeminfo.exe’ were executed to gather credentials and system information.
- Account Manipulation (T1098)
- Malware was used to reset passwords and add new user accounts for persistent access.
- Privilege Escalation (T1068)
- Potato malware was utilized to escalate privileges on the MS-SQL server.
AhnLab SEcurity intelligence Center (ASEC) has been monitoring MS-SQL servers that are being managed inappropriately and recently discovered an attack case abusing GotoHTTP.
1. GotoHTTP
Remote control tools are used to control systems remotely, providing features such as remote desktop and file transfer. AnyDesk, ToDesk, RuDesktop, TeamViewer, and AmmyyAdmin are examples of well-known remote control tools.
They allow companies or individuals to control and manage systems remotely under normal circumstances. However, since the feature to control systems remotely is also provided by backdoors and RAT malware strains, threat actors can take advantage of them as well. In the past, there were many cases of misuse involving TeamViewer and AmmyyAdmin, and recently AnyDesk has been frequently used in attacks.
AnyDesk is often used in attacks targeting web servers or MS-SQL servers that are being managed inappropriately. This post will introduce a recent case where an unknown threat actor attacked an MS-SQL server to install GotoHTTP.
Figure 1. GotoHTTP webpage
2. Attack Targeting MS-SQL Server
The targeted system was exposed and most likely used weak account credentials. After the initial breach, the threat actor first installed CLR SqlShell. Similar to WebShell, which can be installed on web servers, SqlShell is a tool that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
Figure 2. CLR SqlShell used in the attack
The threat actor used SqlShell to run the commands below to view the information about the infected system.
| > whoami.exe > systeminfo.exe > netstat.exe |
Figure 3. MS-SQL server executing threat actor’s commands
Afterward, the threat actor installed tools for privilege escalation, such as PetitPotato, SweetPotato, JuicyPotato, GodPotato, PrintNotifyPotato, LocalAdminSharp, as well as malware that configures or adds user accounts.
Note that for web services or MS-SQL services, their processes can execute a threat actor’s commands due to vulnerabilities or inappropriate settings. However, because they are running with low privileges by default, malware strains running with the privileges of these processes are limited from performing additional malicious behaviors. As a result, threat actors primarily use Potato malware in attacks targeting web shells or MS-SQL servers. This is because the Potato-type malware escalates privileges by exploiting specific permissions from tokens of the currently running process accounts.
The attacker also installed malware that resets the passwords of existing user accounts or adds new user accounts, as shown below. These added backdoor accounts can later be used by the threat actor for remote control using RDP.
| Type | Account |
|---|---|
| User settings | Guest / FuckingIsBadBoys5! |
| User settings | DefaultAccount / FuckingIsBadBoys5! |
| Adding users | vpn / FuckingIsBadBoys5! |
Table 1. User settings
The threat actor also installed an additional GotoHTTP. Like other remote control tools, GotoHTTP provides remote screen control. After installing GotoHTTP on the infected system, if the “Computer Id” and “Access Code” are known, the system can be remotely controlled. When GotoHTTP is executed, it creates a configuration file named “gotohttp.ini” in the same directory, which stores the “Computer Id” and “Access Code”. It is likely that the threat actor installed GotoHTTP in the infected system and then accessed the “gotohttp.ini” file to enable remote control.
Figure 4. Remote control using GotoHTTP
3. Conclusion
Attackers install backdoor malware after the initial compromise to dominate the target system. Recently, there has been a trend of using normal utilities instead of using already-known backdoor malware or creating a new one. For this, remote control programs, which are ordinarily used by a variety of users, are used.
Recently, there have been many cases of AnyDesk being abused, but in the attack case identified this time, the remote control tool GotoHTTP was used. Threat actors abuse these legitimate remote control tools to bypass security product detection and control infected systems in a GUI environment.
Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.
V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.
Source : https://asec.ahnlab.com/en/83283/