Hackers have been observed targeting vulnerable MySQL servers in an attempt to compromise and assimilate them into a Distributed Denial of Service (DDoS) botnet.
Researchers at the AhnLab Security Emergency Response Center (ASEC) came across a hacking campaign during routine database server threat monitoring. The researchers found that the hackers were scanning the internet for MySQL servers and approaching them in two ways: either by trying to exploit a vulnerability in an unpatched environment, or by brute-forcing their way in. Some MySQL endpoints have weak administrator passwords, allowing hackers to win the guessing game and enter the premises.
Once the server has been compromised, the attackers would use a feature called User-Defined Functions (UDF) which would allow them to run commands on the endpoint. The researchers said the hackers would define certain functions in C or C++ and compile them into a DLL, essentially creating their own malicious UDF. This UDF would, among other things, download the Ddostf malware which would bring the device into the botnet fold.
Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.
Preferred partner (What does this mean?)
Patching the servers
The threat actors have no intention of using the botnet themselves, the researchers further stated. Instead, they are creating a DDoS-as-a-Service, where other hackers can rent out the service and use the infrastructure for their own attacks, for a fee. The cost of using the Ddostf botnet is unknown at the time.
It is also worth mentioning that the malicious UDF can do more things than just download the malware. Hackers can also use it to steal sensitive data from the server, set up persistent access, and more.
The best way to protect against these attacks, the researchers concluded, is to make sure your MySQL servers are regularly updated and that you don’t stall with installing the patches. Furthermore, having strong login credentials that get refreshed in regular intervals will make brute-force attacks almost impossible to pull off.
More from TechRadar Pro
- Mirai DDoS could be back, as it adds 13 more router brands to its arsenal
- Here's a list of the best firewalls today
- These are the best endpoint security tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.