In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.

While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide.

No comments yet!

Sysadmin

!sysadmin@kbin.social

Create post

A community dedicated to the profession of IT Systems Administration.

Community stats

  • 1

    Monthly active users

  • 21

    Posts

  • 29

    Comments

Community moderators