{"id":79449,"date":"2022-09-27T08:36:55","date_gmt":"2022-09-27T08:36:55","guid":{"rendered":"https:\/\/harchi90.com\/sql-server-admins-warned-to-watch-for-fargo-ransomware-the-register\/"},"modified":"2022-09-27T08:36:55","modified_gmt":"2022-09-27T08:36:55","slug":"sql-server-admins-warned-to-watch-for-fargo-ransomware-the-register","status":"publish","type":"post","link":"https:\/\/harchi90.com\/sql-server-admins-warned-to-watch-for-fargo-ransomware-the-register\/","title":{"rendered":"SQL Server admins warned to watch for Fargo ransomware \u2022 The Register"},"content":{"rendered":"<div id=\"body\">\n<p>Organizations are being warned about a wave of attacks targeting Microsoft SQL Server with ransomware known as Fargo, which encrypts files and threatens victims that their data may be published online if they do not pay up.<\/p>\n<p>The warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one of the most prominent ransomware strains targeting vulnerable SQL Server instances, and was previously also known as Mallox because it used the file extension .mallox for encrypted files in an earlier wave of attacks.<\/p>\n<p>According to ASEC, a Fargo attack starts with the SQL Server process on a compromised machine being used to download a .net file via the cmd.exe and powershell.exe consoles.  This payload fetches and runs additional malware code which generates and executes a BAT file that then shuts down some processes and services.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n        <noscript><\/p>\n<p>                <\/p>\n<p>        <\/noscript>\n    <\/div>\n<p>The next step in the attack is to inject .net code into AppLaunch.exe, which then attempts to delete the registry key for Raccine, an open source tool designed to provide some protection against ransomware attacks.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\">\n            <noscript><\/p>\n<p>                    <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YzK2JsgyWbeQhhoCQO266gAAANg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>            <\/noscript>\n        <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\">\n                <noscript><\/p>\n<p>                        <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YzK2JsgyWbeQhhoCQO266gAAANg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>                <\/noscript>\n            <\/div>\n<\/p><\/div>\n<p>Fargo proceeds to execute the recovery deactivation command, and deletes all shadow copies using vssadmin (which is what Raccine is supposed to prevent), before shutting down various database-related processes to make the content of database files available for encryption.<\/p>\n<p>If successful, the encrypted files have their filename appended with &#8220;.Fargo3&#8221; and a ransom note is generated with the filename &#8220;RECOVERY FILES.txt&#8221;.  The latter informs the victim how to contact the attackers in order to pay the ransom, and threatens: &#8220;In case of non-payment of the ransom, your data may be published on the public domain.&#8221;<\/p>\n<p>But how are the attackers getting access to SQL Server instances to deploy the ransomware in the first place?  According to ASEC, this will typically take the form of brute force attacks and dictionary attacks on systems where account credentials are being poorly managed.  Attacks may also seek to exploit systems that have not been fully patched and may thus be vulnerable to known exploits.<\/p>\n<p>The ASEC blog offers the advice that SQL Server admins should use strong passwords that are difficult to guess for their accounts, and change them periodically to protect the database server from brute force attacks and dictionary attacks, which any IT pro worth their name will have been doing already.  It also offers the usual recommendation that organizations should apply security patches to guard against exploits using known vulnerabilities.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n            <noscript><\/p>\n<p>                    <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YzK2JsgyWbeQhhoCQO266gAAANg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>            <\/noscript>\n        <\/div>\n<p>The threat posed by ransomware remains one of the biggest security headaches for organizations, accounting for 25 percent of observed security incidents and present in 70 percent of all malware infections, according to a Verizon report published earlier this year.  \u00ae<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Organizations are being warned about a wave of attacks targeting Microsoft SQL Server with ransomware known as Fargo, which encrypts files and threatens victims that their data may be published online if they do not pay up. The warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/sql-server-admins-warned-to-watch-for-fargo-ransomware-the-register\/\"> <span class=\"screen-reader-text\">SQL Server admins warned to watch for Fargo ransomware \u2022 The Register<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":33950,"url":"https:\/\/harchi90.com\/lockbit-ransomware-abuses-windows-defender-to-deploy-cobalt-strike-payload\/","url_meta":{"origin":79449,"position":0},"title":"LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload","date":"August 3, 2022","format":false,"excerpt":"A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads. According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1621,"url":"https:\/\/harchi90.com\/new-sessionmanager-backdoor-targeting-microsoft-iis-servers-in-the-wild\/","url_meta":{"origin":79449,"position":1},"title":"New &#8216;SessionManager&#8217; Backdoor Targeting Microsoft IIS Servers in the Wild","date":"July 1, 2022","format":false,"excerpt":"A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed SessionManagerthe malicious tool masquerades as a module for Internet\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12089,"url":"https:\/\/harchi90.com\/video-game-publisher-bandai-namco-appears-to-have-been-hacked\/","url_meta":{"origin":79449,"position":2},"title":"Video Game Publisher Bandai Namco Appears To Have Been Hacked","date":"July 12, 2022","format":false,"excerpt":"Image: Bandai NamcoMajor video game cyberattacks have become quite regular in recent years and it seems Bandai Namco is the latest victim. Ransomware group 'BlackCat' has added the Japanese publisher and developer - known for series like Pac-Man, Dragon Ball and Elden Ring - to its list of victims. A\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"Pac-Man","src":"https:\/\/i0.wp.com\/images.nintendolife.com\/b01e40ecea55b\/pac-man.900x.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":11701,"url":"https:\/\/harchi90.com\/video-game-publisher-bandai-namco-appears-to-have-be-hacked\/","url_meta":{"origin":79449,"position":3},"title":"Video Game Publisher Bandai Namco Appears To Have Be Hacked","date":"July 12, 2022","format":false,"excerpt":"Image: Bandai Namco Major video game cyberattacks have become quite regular in recent years and it seems Bandai Namco is the latest victim. Ransomware group 'BlackCat' has added the Japanese publisher and developer - known for series like Pac-Man, Dragon Ball and Elden Ring - to its list of victims.\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"Pac-Man","src":"https:\/\/i0.wp.com\/images.nintendolife.com\/b01e40ecea55b\/pac-man.900x.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":15013,"url":"https:\/\/harchi90.com\/bandai-namco-confirms-hack-by-ransomware-group-confidential-information-stolen\/","url_meta":{"origin":79449,"position":4},"title":"Bandai Namco confirms hack by ransomware group;  confidential information stolen","date":"July 15, 2022","format":false,"excerpt":"\r \r \r \r \r \r \r \r \r \r \r \r \r \r Bandai Namco, a name the fighting game community knows well thanks to titles like Tekken, Dragon Ball FighterZ, and Soul Calibur, has confirmed that they've been hacked and had confidential information stolen by ransomware group ALPHV.\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":84424,"url":"https:\/\/harchi90.com\/state-sponsored-hackers-likely-exploited-ms-exchange-0-days-against-10-organizations\/","url_meta":{"origin":79449,"position":5},"title":"State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations","date":"October 2, 2022","format":false,"excerpt":"Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. \"These attacks installed the Chopper web shell to facilitate hands-on-keyboard\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"fifu_image_url":"https:\/\/regmedia.co.uk\/2021\/03\/29\/ransom.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/79449"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=79449"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/79449\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=79449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=79449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=79449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}