The Trigona threat actor continues to conduct targeted attacks against Microsoft SQL (MS-SQL) servers by exploiting weak or default credentials through brute-force and dictionary attack methods. Once access is gained, the attackers utilize the Common Language Runtime (CLR) Shell to execute additional malicious payloads within the database environment, allowing them to bypass some traditional security controls. They employ legitimate system tools such as Bulk Copy Program (BCP), Curl, Bitsadmin, and PowerShell to download and install malware, which aids in evading detection by blending with normal administrative activities. For remote control and lateral movement, Trigona uses remote desktop tools including AnyDesk, Remote Desktop Protocol (RDP), and possibly Teramind, enabling persistent access and control over compromised systems. A notable development is the introduction of a scanner malware written in Rust, designed to identify vulnerable RDP and MS-SQL services, indicating an automated reconnaissance capability to expand their attack surface. The threat actor also uses custom tools like SpeedTest and StressTester, likely for network performance measurement and denial-of-service capabilities, respectively. Privilege escalation and file manipulation techniques are employed to deepen system compromise and maintain persistence. Although no known public exploits are reported, the combination of credential attacks, use of legitimate tools, and custom malware indicates a sophisticated and evolving threat. The attack chain highlights the importance of securing database credentials, monitoring for unusual use of administrative tools, and controlling remote access to critical infrastructure.

European organizations running MS-SQL servers with weak or default credentials are at significant risk of unauthorized access, data theft, and potential ransomware infection due to Trigona's activities. Compromise of database servers can lead to exposure of sensitive business and customer data, disruption of critical services, and financial losses. The use of legitimate administrative tools for malware deployment complicates detection, increasing dwell time and potential damage. The Rust-based scanner malware increases the likelihood of widespread scanning and targeting of vulnerable systems across Europe. Organizations with remote access enabled via RDP or AnyDesk are particularly vulnerable to lateral movement and persistent control by attackers. The threat actor's ability to escalate privileges and manipulate files further exacerbates the risk of system takeover and data integrity loss. Given the medium severity, the impact is substantial but can be mitigated with proper controls. The threat also poses reputational risks and potential regulatory compliance issues under GDPR if personal data is compromised.

1. Enforce strong, complex passwords and implement account lockout policies to prevent brute-force and dictionary attacks on MS-SQL servers. 2. Disable or restrict remote access protocols such as RDP and AnyDesk to only trusted IP addresses using firewall rules and VPNs. 3. Monitor and restrict the use of administrative tools like BCP, Curl, Bitsadmin, and PowerShell, employing application whitelisting and behavior-based detection to identify anomalous usage. 4. Regularly update and patch MS-SQL servers and associated software to reduce attack surface, even though no specific exploits are known. 5. Implement network segmentation to isolate database servers from general user networks and limit lateral movement opportunities. 6. Deploy endpoint detection and response (EDR) solutions capable of detecting CLR Shell usage and unusual privilege escalation activities. 7. Conduct regular security audits and penetration testing focused on credential strength and remote access configurations. 8. Utilize multi-factor authentication (MFA) for administrative and remote access accounts. 9. Analyze network traffic for signs of scanning activity, especially from Rust-based scanner malware, and block suspicious IPs. 10. Maintain comprehensive logging and alerting for authentication failures and unusual file or process activities on database servers.