Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Unsecured Microsoft SQL, MySQL Servers Hit by Gh0stCringe Malware

Unsecured Microsoft SQL, MySQL Servers Hit by Gh0stCringe Malware

Hackers target poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access trojans on vulnerable devices.

Gh0stCringe, aka CirenegRAT, is a variant of Gh0st RAT malware that was most recently deployed in 2020 Chinese cyber-espionage operations but dates as far back as 2018.

In a new report today by cybersecurity firm AhnLab, researchers outline how the threat actors behind GhostCringe are targeting poorly secured database servers with weak account credentials and no oversight.

As you can see below, the threat actors are breaching the database servers and using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk.

Also Read: How does Do Not Call (DNC Registry) Affect Marketing 2020

MySQL and Microsoft SQL processes writing malware files to disk
MySQL and Microsoft SQL processes writing malware files to disk
Source: AhnLab

These attacks are similar to the Microsoft SQL server attacks we reported last February, which dropped Cobalt Strike beacons using the Microsoft SQL xp_cmdshell command.

In addition to Gh0stCringe, AhnLab’s report mentions the presence of multiple malware samples on the examined servers, indicating competing threat actors are breaching the same servers to drop payloads for their own campaigns.

Gh0stCringe on the server

Gh0stCringe RAT is a powerful malware that establishes a connection with the C2 server to receive custom commands or exfiltrate stolen information to the adversaries.

The malware can be configured during deployment with specific settings concerning its functions, as detailed below:

  • Self-copy [On/Off]: If turned on, it copies itself to a certain path depending on the mode.
  • Mode of execution [Mode]: Can have values of 0, 1, and 2.
  • File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
  • Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
  • Keylogger [On/Off]: If turned on, the keylogging thread operates.
  • Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
  • Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
The RAT's settings data
The RAT’s settings data (ASEC)

Of the above, the keylogger is maybe the most aggressive component as this is what steals user inputs from the compromised system.

Also Read: Free Guide For Appointing A Data Protection Officer (2020)

The keylogging component uses the Windows Polling method (GetAsyncKeyState API) for querying the state of every key through an endless loop.

This otherwise reliable logging method introduces the risk of suspiciously high CPU usage, but in poorly managed servers, this is unlikely to cause problems to the threat actors.

The malware will also monitor the keypresses for the last three minutes and send them with basic system and network information to the malware’s command and control servers.

These logged keystrokes will allow the threat actors to steal login credentials and other sensitive information that logged-in users entered on the device.

Modes and commands

CirenegRAT supports four operational modes, namely 0, 1, 2, and a special Windows 10 mode, selected by the threat actor during deployment.

The modes configure how persistence is established via the modification of the Windows registry and the activation of the self-copy module. For example, Mode #0 is running without persistence, while Mode #2 establishes persistence and considers self-copy settings.

As for the remote commands supported by the RAT, these are summed up in the following:

  • Download additional payloads from the C2 and execute them.
  • Connect to a URL via IE
  • Destroy MBR (master boot record)
  • Keylogging (independent command)
  • Steal clipboard database
  • Collect Tencent-related information
  • Update
  • Uninstall
  • Register Run Key
  • Terminate host system
  • Reboot NIC
  • Scan for running processes
  • Display message pop-up

How to secure database servers

First, update your server software to apply the latest available security updates, which helps exclude a range of attacks that leverage known vulnerabilities.

It is also essential to use a strong admin password that is hard to guess or brute-force.

The most crucial step is to place the database server behind a firewall allowing only authorized devices to access the server.

Finally, monitor all actions to identify suspicious reconnaissance activity and use a data access controller for data transaction policy inspection.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us