{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-sql-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Desktop Protocol","Microsoft SQL Server","SonicWall VPNs","ScreenConnect","TeamViewer","Bomgar","Chrome Remote Desktop","AnyDesk"],"_cs_severities":["high"],"_cs_tags":["ransomware","raas","initial-access","persistence"],"_cs_type":"threat","_cs_vendors":["Microsoft","SonicWall"],"content_html":"\u003cp\u003eRansomware-as-a-service (RaaS) has become a prevalent model where ransomware operators manage the ransomware variant and infrastructure, while affiliates handle the intrusion, data theft, and deployment of the encryptor. This division of labor means that the ransomware family name does not reliably explain the intrusion\u0026rsquo;s origin or the actions taken by the attacker within the victim\u0026rsquo;s environment. Different affiliates employ diverse techniques for initial access, ranging from social engineering to exploiting exposed remote access services and leveraging pre-existing footholds acquired from initial access brokers (IABs). Notably, threat actors are increasingly abusing legitimate tools and pathways to blend in with normal activity. For instance, in 2025, threat actors targeted SonicWall VPNs before deploying Akira ransomware. The affiliate, and not the ransomware operator, often dictates the tradecraft, necessitating a broad defense strategy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via RDP:\u003c/strong\u003e Threat actors gain initial access by exploiting weak or compromised Remote Desktop Protocol (RDP) credentials, enabling RDP via SMB protocol, or through Microsoft SQL Server (MSSQL).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation of Vulnerable Edge Appliances:\u003c/strong\u003e Attackers target vulnerable edge appliances, such as SonicWall VPNs, to gain network access, as observed in Akira ransomware deployments in 2025.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise of RMM Tools:\u003c/strong\u003e Rogue Remote Monitoring and Management (RMM) tools like ScreenConnect, TeamViewer, or Bomgar are compromised, providing a foothold in the victim\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence through New User Creation:\u003c/strong\u003e Threat actors create new user accounts on the compromised systems to ensure persistent access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Hiding:\u003c/strong\u003e Attackers hide newly created user accounts from the Welcome Screen visible via Terminal Services/RDP to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstallation of Remote Access Tools:\u003c/strong\u003e Additional RMM tools like Chrome Remote Desktop and AnyDesk are installed post-compromise to retain remote access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Threat actors attempt to evade detection by configuring Defender exclusions or employing more aggressive tactics like EDR and AV killers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Data is staged by consolidating and compressing it into encrypted archives using tools like 7-Zip before exfiltration from the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eRaaS attacks can lead to significant operational disruptions, data breaches, and financial losses for victim organizations. The exploitation of legitimate tools and pathways makes detection challenging, allowing attackers to move laterally within the network and exfiltrate sensitive data. In MSP-centric environments, a single compromised RMM instance can provide access to numerous downstream victims, as seen in the April 2026 incident involving a dental software company, impacting dozens of organizations. Successful ransomware deployment results in encrypted files, demanding ransom payments for decryption keys and potentially leading to data leaks if the ransom is not paid.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious RMM tool usage, such as \u003ccode\u003eScreenConnect.exe\u003c/code\u003e or \u003ccode\u003eTeamViewer.exe\u003c/code\u003e launching from unusual locations or with unusual command-line arguments, using the \u0026ldquo;Detect Suspicious RMM Tool Execution\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network connection monitoring to detect RDP connections originating from unexpected sources or using non-standard ports to identify potential RDP compromise (T1021.001).\u003c/li\u003e\n\u003cli\u003eEnable and review Windows Security Event Logs for Event ID 4720 (A user account was created) to detect unauthorized user account creation, a common persistence technique (T1547.001).\u003c/li\u003e\n\u003cli\u003eImplement host-based intrusion detection systems (HIDS) to detect unusual file compression activity using \u003ccode\u003e7-Zip\u003c/code\u003e, indicative of data staging for exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T20:54:02Z","date_published":"2026-05-20T20:54:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-raas-ecosystem/","summary":"Ransomware-as-a-service (RaaS) attacks leverage affiliates for initial access, persistence, and exfiltration, using varied techniques like compromised RDP, vulnerable VPNs, and rogue RMM tools, impacting multiple organizations in a single campaign.","title":"Ransomware-as-a-Service (RaaS) Ecosystem: Affiliate Tradecraft and Initial Access Vectors","url":"https://feed.craftedsignal.io/briefs/2026-05-raas-ecosystem/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft SQL Server","version":"https://jsonfeed.org/version/1.1"}