A newly identified hacker group, known as STAC6451, has been actively targeting Microsoft SQL (MSSQL) servers to compromise organizations, with a particular focus on entities in India. This group leverages exposed MSSQL servers, especially those with weak credentials, to deploy ransomware and execute other malicious activities. Their approach includes exploiting the default TCP/IP port 1433, which is commonly exposed to the public internet, allowing them to gain unauthorized access.
Once STAC6451 gains entry, they enable the xp_cmdshell stored procedure on the compromised servers. This procedure, which is disabled by default for security reasons, permits the attackers to execute arbitrary commands. The group then uses the Bulk Copy Program (BCP) utility to stage and deploy malicious payloads. These payloads include privilege escalation tools and ransomware binaries, such as Cobalt Strike Beacons and Mimic ransomware.
The attackers further establish persistence by creating backdoor accounts using the Python Impacket library. These accounts, such as “ieadm” and “helpdesk,” are added to local administrator and remote desktop groups to facilitate lateral movement within the network. Additionally, STAC6451 employs tools like AnyDesk for remote control and leverages the PrintSpoofer malware tool to escalate privileges through vulnerabilities in the Windows spooler service.
To protect against STAC6451’s tactics, organizations should avoid exposing MSSQL servers to the internet, disable the xp_cmdshell stored procedure, and implement application control measures to block unwanted applications like AnyDesk. Regular system updates and patch management are also crucial to closing vulnerabilities. These steps can help mitigate the risks posed by this sophisticated group and prevent potential compromises.
Reference:
