Malicious cyber actors exploit MySQL servers through a botnet known as ‘Ddostf,’ utilizing it as a DDoS-as-a-Service platform available for lease by other cybercriminals.
AhnLab’s ASEC researchers identified the mentioned campaign through their regular threat monitoring of database servers. According to ASEC, the operators of Ddostf either capitalize on vulnerabilities in outdated MySQL environments or persistently attempt to compromise servers by exploiting weak administrator accounts.
Cyber attackers scour the web for accessible MySQL servers, attempting credential brute-force attacks upon discovery. In the case of Windows MySQL servers, threat actors employ a technique known as user-defined functions (UDFs) to execute commands on the compromised system.
UDF is a MySQL feature enabling users to define functions in C or C++ and compile them into a dynamic link library (DLL) file, thereby expanding the database server’s capabilities.
In this scenario, adversaries generate their own UDFs and register them on the database server as a DLL file (amd.dll) containing the following malicious functions:
- Downloading payloads like the Ddostf DDoS bot from a remote server.
- Execute system-level commands sent by attackers.
- Save results of command execution to a temporary file and send them to attackers.
Exploiting the UDF provides a convenient method for loading the primary payload of this attack, namely the Ddostf malware client. Additionally, it opens avenues for installing other malware, exfiltrating data, establishing a persistent backdoor for sustained access, and more.
Ddostf, a Chinese-origin botnet detected seven years ago, targets both Linux and Windows systems. On Windows, it establishes persistence by registering as a system service during its initial run and decrypts the C2 (command and control) configuration for a connection.
The malware assesses the host’s system, transmitting data like CPU details, language settings, Windows version, and network speed to its command and control (C2). The C2 server can then issue DDoS attack commands, such as SYN Flood, UDP Flood, and HTTP GET/POST Flood, instruct the botnet to cease system state information transmission, change to a new C2 address, or download and execute a new payload.
ASEC notes that Ddostf’s capability to switch to a new C2 address distinguishes it from typical DDoS botnet malware, enhancing its resilience against countermeasures. The cybersecurity firm advises MySQL administrators to apply the latest updates and employ robust, unique passwords to safeguard administrator accounts against brute-force and dictionary attacks.
To safeguard your MySQL servers against the ‘Ddostf’ botnet, consider implementing the following preventive measures:
- Regular Updates: Ensure your MySQL server is up-to-date with the latest security patches and updates. This helps address potential vulnerabilities that attackers might exploit.
- Strong Authentication: Enforce the use of strong, complex passwords for MySQL accounts, especially for administrator accounts. This helps protect against brute-force and dictionary attacks.
- Access Control: Restrict access to your MySQL server by configuring proper access controls. Only grant necessary permissions to users, and avoid using default or overly permissive settings.
- Network Security: Implement network security best practices, such as firewalls and intrusion detection/prevention systems, to monitor and control traffic to and from your MySQL server.
- Monitor for Anomalies: Set up monitoring systems to detect unusual activities or patterns that may indicate a potential DDoS attack or unauthorized access attempts.
- User-defined Function (UDF) Security: If possible, restrict or carefully manage the use of user-defined functions (UDFs) within MySQL to prevent misuse by potential attackers.
- Backup and Recovery: Regularly back up your MySQL databases and have a robust recovery plan in place. This ensures that you can quickly restore operations in case of a successful attack.
- Security Awareness: Educate your team about security best practices and the risks associated with the ‘Ddostf’ botnet. Encourage a security-conscious culture within your organization.
- Collaborate with Security Experts: Work closely with cybersecurity experts or firms to stay informed about emerging threats and to receive guidance on securing your MySQL infrastructure.
- Incident Response Plan: Develop and regularly update an incident response plan to efficiently handle and mitigate the impact of a security incident, should one occur.