FISA

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign  DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of  Mimic ransomware  called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the  xp_cmdshell configuration option  to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by connecting to a