STAC6451's Persistent Attacks on India's Exposed SQL Servers

A concerning wave of cyberattacks orchestrated by the threat group STAC6451 has been detailed in a report by Sophos researchers. These threat actors specifically target Microsoft SQL Server database servers in India. The attacks, observed since late March 2024, focus on servers with the exposed TCP/IP port 1433. The campaign affects organizations across multiple business verticals and has led to deploying Mimic ransomware. According to Sophos, their assessment found that 'This cluster exhibits a moderate level of sophistication through their redirection and obfuscation techniques; however, the unsuccessful execution of their ransomware binaries and their shortfalls in rotating their credentials after incidents indicate this cluster is still lacking operational maturity in some areas.'

Observations of STAC6451’s attack flow show that the operators target exposed accounts with weak passwords. "No system administrator credentials appear to have been compromised in the attacks we observed," reports Sophos. The attackers leverage exposed Microsoft SQL Servers to execute remote commands using LOLBins through the enabled xp_cmdshell feature. A swift series of system discovery commands likely indicates the activity is automated. Commands executed include using the Windows process 'whoami,' as well as various WMIC commands to gather information about the host's operating system, hostname, domain, and physical memory. Following initial access, the SQL Server Bulk Copy Program (bcp) utility is utilized for data transfer with the 'queryout' flag, alongside the '–T' flag for trusted connections via Windows Authentication and the '–f' flag to specify format files. The attackers stage batch and PowerShell scripts with additional tools like the AnyDesk remote access software named "AD.exe."

The threat actor's use of a batch script "d.bat" was observed across three targets, creating a new account named "ieadm" and adding the new account to both the admin and remote desktop groups. Additionally, AnyDesk is installed with the silent option, and a registry modification is made to Wdigest, resulting in the storage of credentials in clear text. Their script use gives evidence supporting Sophos’s assessment of the operators' lack of maturity. "Notably, while the targets we observed being attacked by this threat cluster were in India, the automated script referenced multiple languages to ensure the newly created user was successfully added to the victim’s administrator group," explain Sophos researchers. Other accounts created by the threat actors include “helpdesk,” “admins124,” “rufus,” and others with random strings such as "b9de1fc57."

STAC6451 exploited privilege escalation through a tool named PrintSpoofer, leveraging weaknesses in the Windows spooler service to interact with and execute commands through named pipes, a method detected by Sophos as ATK/PrntSpoof-A. This approach allowed them to gain elevated privileges and inject commands directly into the spooler service. To obscure their tracks, the attackers employed Cobalt Strike, using a loader named USERENV.dll to inject malicious DLLs into legitimate processes like gpupdate.exe, thereby establishing persistent access and control over the compromised systems. Evidence of a Cobalt Strike staging server was identified with the Windows Command Prompt using cscript to execute VBScript files that call a remotely hosted file.

Further techniques to manipulate system configurations to evade detection and maintain persistence included creating and auto-starting a new service named ‘Plug,’ which then ran a Cobalt Strike Beacon from C:\ProgramData\Plug\tosbtkbd.exe. They ensured the malware's persistence by configuring the service to auto-start before deleting it to remove traces. The attackers disabled Windows Defender using scripts embedded in batch files, specifically a script named 03.bat, which also facilitated the launching of ransomware payloads. Sophos' analysis also observed using the Microsoft tool DumpMinitool to access credentials from LSASS memory, although Sophos blocked the activity.

Using the WinRAR archive utility facilitated data collection objectives during the campaign. Sophos reports various hiccups in the completion of their objective. "While the actors were seen staging the Mimic ransomware binaries in all observed incidents, the ransomware often did not successfully execute, and in several instances, the actors were seen attempting to delete the binaries after being deployed," Sophos researchers reveal. Given the targeted nature of these attacks, a strategic focus is clear on large organizations within India.