The Chinese team of hackers APT-27 targets large enterprise networks, taking advantage of MySQL servers.
Most business networks use it cloud platforms for storing their data. Hackers, on the other hand, also use cloud services to run their bots on cloud servers.
Businesses targeted by hackers, had taken care to fix security issues in their operating system, but the server running MySQL was vulnerable.
Surveys show that there are approximately 4.9 million MySQL servers running on public IP. If a malicious hacker accesses a network using MySQL, it automatically gains full access to the infected machine.
So far, 15.000 attacks have been detected. A large percentage (34%) of attacks is centered on Germany, but attacks have also been in many other countries. These include the United States, France, China, Poland and the United States Russia.
The researchers discovered that different methods are used to misuse MYSQL servers and, by extension, to violate networks. Through these methods, hackers can install backdoor, ransomware and more on the victim's machine.
Hackers exploit weaknesses such as default credentials and brute-force and SQL injection attacks.
They also use WebShell and exploit vulnerabilities, allowing them to bypass authentication procedures and take control of the server. They can then process, delete, or even steal the data.
Attackers have the ability to distribute many malicious software (viruses, ransomware, miner) by taking advantage of the MySQL server.
Researchers also discovered that APT-27 had used malware NewCore RAT, to attack government entities and data centers.
After installing malicious files, hackers insert a note asking for a ransom. However, the victims of the attack should not pay the ransom, because in this kind of attack, hackers do not restore the affected systems, even after the ransom payment.