Full Report
Overview The AhnLab SEcurity intelligence Center (ASEC) analysis team is responding to and categorizing attacks targeting MS-SQL and MySQL servers installed on Windows operating systems using the AhnLab Smart Defense (ASD) infrastructure. This post covers the damage and statistics of attacks that occurred on MS-SQL and MySQL servers in the second quarter of 2025 based […]
Analysis Summary
# Tool/Technique: Database Server Exploitation (MS-SQL and MySQL)
## Overview
This summary covers activities related to attacks targeting MS-SQL and MySQL database servers running on Windows operating systems during the second quarter of 2025, as observed through the AhnLab Smart Defense (ASD) infrastructure logs. The focus is on the general attack trends, malware utilized, and associated infrastructure, rather than a specific, named malware family.
## Technical Details
- Type: Attack Campaign/Technique
- Platform: Windows (targeting MS-SQL and MySQL services)
- Capabilities: Brute-forcing credentials or exploiting vulnerabilities to gain unauthorized access to database servers, followed by deploying secondary payloads (e.g., custom executables like `ceshi.exe` or `Server.exe`).
- First Seen: Q2 2025 (as per observation period)
## MITRE ATT&CK Mapping
*(Since the article describes the actions leading to compromise rather than a specific post-exploitation framework, the primary mappings relate to initial access and execution):*
- **TA0001 - Initial Access**
- T1133 - External Remote Services (If brute-forcing is used against database ports)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (If used to download/run payloads)
## Functionality
### Core Capabilities
- Targeting specific database services (MS-SQL and MySQL) commonly used on Windows systems.
- Utilizing various network addresses and ports for delivery or command and control.
- Dropping executable files onto the compromised systems.
### Advanced Features
- Deployment of observed executables (`ceshi.exe`, `Server.exe`) suggests standardized infection chains for persistence or further lateral movement/data theft, though specifics are not detailed.
## Indicators of Compromise
- File Hashes:
- `2cd59cff23a2e0f98e710bf52b799154`
- `33096e0bc0785ffb2094054bebb9be26`
- `3ee3a5fef87b72a024bd0f45e6f6039f`
- `454ff880e99d5777276bdee1a3e078d9`
- `9d098864bc5746b9ff00432686d59b9f`
- File Names: `ceshi.exe`, `Server.exe`
- Registry Keys: [Not specified]
- Network Indicators:
- `http[:]//39[.]108[.]132[.]22[:]8080/ceshi[.]exe`
- `http[:]//star[.]zcnet[.]net[:]7766/Server[.]exe`
- FQDNs: `star[.]zcnet[.]net`, `yyinfo8999[.]fit`
- IPs: `103[.]101[.]178[.]170`, `154[.]204[.]177[.]54`, `154[.]222[.]24[.]186`, `39[.]108[.]132[.]22`
- Behavioral Indicators: Successful connection attempts to default or common database ports (e.g., SQL Server default, MySQL default) followed by the download and execution of secondary payloads.
## Associated Threat Actors
- [Not explicitly named, generally associated with automated scanning/exploitation targeting publicly exposed or poorly secured database servers.]
## Detection Methods
- Signature-based detection: Hash matching against the listed MD5s.
- Behavioral detection: Monitoring network connections to unusual external IPs/domains on database ports, followed by file creation events involving executables downloaded via HTTP from these sources.
- YARA rules: [Not available]
## Mitigation Strategies
- Strong password policies and multi-factor authentication (if available) for database services.
- Network segmentation to limit external exposure of database servers.
- Applying the latest security patches for MS-SQL and MySQL software.
- Monitoring and alerting on unusual administrative access patterns or unauthorized process execution originating from database processes.
## Related Tools/Techniques
- Automated password spraying/brute-forcing tools targeting database ports (e.g., SQLbrute, Hydra).
- Generic malware loaders used for initial persistence on victims' machines.