“Hex-Men” Threat Group Targeted MSSQL and MySQL Servers

Throughout 2017, a likely-Chinese threat group, dubbed “Hex-Men,” has been deploying malware to target MSSQL and MySQL databases on Windows and Linux systems. The group uses their infrastructure – which has helped them remain hidden most of the year – to scan for vulnerable systems, launch attacks, and host malware. Researchers at GuardiCore identified three main campaigns distributing previously unknown malware variants. The first targeted MSSQL databases running on Windows servers by deploying the remote access trojan (RAT) and cryptocurrency miner “Hex.” The second also targeted MSSQL databases running on Windows servers but instead used the keylogger and backdoor trojan “Taylor.” In a March campaign, the group targeted over 80,000 servers using the Taylor trojan. The third campaign scanned for vulnerable MSSQL and MySQL databases running on either Windows or Linux servers and deployed the Hanako trojan used to launch distributed denial-of-service (DDoS) attacks. The threat actors accessed vulnerable systems by configuring previously infected servers to scan a small set of IP addresses to find databases with weak login credentials. The group scanned for publicly known Azure and AWS public IP ranges in attempts to find an enterprise cloud server that stored sensitive information and was administered by an account with weak credentials. Scanning for only a small number of IPs and using infected servers to do the scanning, along with rotating their C2 servers and domains, allowed the C2 infrastructure to remain largely hidden for a significant amount of time. The NJCCIC recommends administrators of MSSQL and MySQL servers review the GuardiCore report, ensure the use of complex passwords and multi-factor authentication for database accounts, utilize a firewall to block brute-force attempts, and scan systems and networks for the indicators of compromise (IoCs) provided in the report.