This is the story of a single cyber attack that morphed into thousands of attacks each day.
The attacks are going on now, using compromised computers around the globe, including many in the United States.
In this case, we're talking about attacks on database servers like Microsoft (MS) SQL and mySQL.
Researchers at cybersecurity company GuardiCore created this well-documented analysis of what is going on now.
"We started off by investigating a single MS SQL Server attack that made use of an unknown binary against servers monitored by the GuardiCore Global Sensor Network (GGSN), a network of deception servers deployed in multiple data centers worldwide."
Then they watched the number of attacks grow and the purpose of them grow as well.
"The attackers use compromised victim machines for a variety of infrastructure tasks. Machines are re-purposed for scanning, launching attacks, hosting malware executables, and acting as C&C servers."
The attacks come from a huge infrastructure of compromised machines that are used for about a month and then rotated out of service, to make detection more difficult.
Three campaigns, as you see in the illustration above, are ongoing.
"HEX" is all about installing crypto miners and RATs (Remote Access Trojans).
"Taylor" is a campaign to install keyloggers and backdoors.
And "Hanako"' focuses on adding machines to a DDoS botnet.
Once machines are compromised, the hackers cover up their work:
"Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands."
"As a final step, the attackers attempt to cover their tracks by deleting any unnecessary registry, file and folder entries using batch files and VB scripts," says the complete report.
"The malware binaries also attempt to hide themselves using a variety of methods. These include using a fake MFC user interface and abnormally sized binaries (a few binaries weighed over 100MB, containing large quantities of junk data)."
Company researchers says the number one thing you can do to mitigate the risk from these attacks is control and monitor all servers that have access to your database.
"... keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated."
Speaking of investigating things, this was quite an undertaking for GuardiCore researchers, who say it felt like an "escape room" experience where one clue lead them to another.
And in the end, they say there is "ample evidence" that the attack group responsible is based in China.
