At least one Chinese hacking crew is currently scanning the internet for Windows servers that are running MySQL databases so they can infect these systems with the GandCrab ransomware.
These attacks are somewhat unique, as cyber-security firms have not seen any threat actor until now that has attacked MySQL servers running on Windows systems to infect them with ransomware.
Andrew Brandt, Principal Researcher at Sophos, and the one who spotted these new attacks in a honeypot's logs described them as "a serendipitous discovery" in an email to ZDNet.The researcher published today a blog post on the Sophos website
detailing this new scanning activity and its payload.
Brandt said hackers would scan for internet-accessible MySQL databases that would accept SQL commands, check if the underlying server would run on Windows, and then use malicious SQL commands to plant a file on the exposed servers, which they'd later execute, infecting the host with the GandCrab ransomware.
