MySQL servers under botnet attack, report

Threat actors are using the Ddostf malware botnet to enslave MySQL servers and rent them out to cyber criminals as a DDoS-as-a-Service platform, BleepingComputer reports. The AhnLab Security Emergency Response Center researchers who discovered the campaign said the perpetrators either use brute-force tactics on weak administrator account credentials or exploit unpatched flaws in MySQL environments to infiltrate their targets. They also deploy and register user-defined functions when encountering Windows MySQL servers to execute commands. These self-created UDFs carry malicious functions such as downloading payloads including the Ddostf botnet via a remote server, executing arbitrary system-level commands, and saving the results of command execution on a file that is sent to the attackers. The use of UDFs also opens the possibility for other malicious activities such as the installation of other malware, data exfiltration, and the creation of backdoors for persistent access. According to ASEC, Ddostf has been in use in the wild for approximately seven years as threat actors make use of the malware's resistance against takedowns thanks to its ability to connect to new C2 addresses.