Posted on May 19, 2022 at 4:49 PM
Tech giant Microsoft has warned about a brute-force attack that targets poorly secured and Internet-exposed Microsoft SQL Server (MSSQL) database servers with frail passwords.
This is not the first time Microsoft SQL servers have been targeted this year. However, the company stated that this time the hackers in this campaign are taking advantage of the legitimate sqlps.exe tool as a living-off-the-land binary (LOLBin).
The Attackers Spawn sqlps.exe Utility To Maintain Persistence
Microsoft’s security intelligence team also revealed that the threat actors achieve persistence by spawning the sqlps.exe utility. After running the recon commands, the hackers alter the start mode of the SQL service to LocalSystem to gain more ground on the system.
Additionally, they are also making use of sqlps.exe to create a new account they include in the sysadmin role. This allowed them to take complete control of the SQL server, gaining access to carry out other actions such as planting payloads on the affected system.
The hackers’ use of sqlps allows them to execute PowerShell commands that would otherwise log cmdlet operations to the Windows event log. The sqlps utility also has a Microsoft SQL Server that enables easy loading of the SQL Server cmdlets as a LoLBin.
Additionally, it enables the threat actors to maintain their cover by making sure they don’t have traces left behind while security researchers are analyzing their attacks. Microsoft says the attackers are using sqlps because it’s one of the most effective ways to bypass Script Block Logging, a PowerShell tool that usually logs cmdlet operations to the Windows event log.
A similar attack on the MSSQL servers was reported earlier this year when hackers deployed CirenegRAT remote access Trojans (RATs). The previous campaign in February this year saw hackers compromising the MSSQL servers by dropping Strike beacons using Microsoft SQL xp_cmdshell commands.
The MSSQL Attack Has Been Described As Highly Potent
MSSQL has been increasingly targeted in recent times, although the servers have always been a major target for hackers for several years. In the recent campaigns, the threat actors try to steal thousands of vulnerable servers to achieve different end goals.
In one of the major attacks that lasted nearly two years, the hackers gained backdoor access to close to 3,000 servers with RATs, following brute force attacks. The hackers also deployed Voller (VDS) and Monero *XRM) crytpominers on the compromised servers.
This type of attack has been classified as highly potent and tends to be fileless. That is because they use trusted software, which makes it very difficult to be flagged by antivirus software. Also, the threat actors are very careful and usually don’t leave any artifacts behind that can trace back to them. In most cases, the attacker tries to blend in with regular administrative tasks and normal network activity, while staying hidden for a long period. Microsoft noted that the use of LOLBin shows the importance of gaining full visibility of the runtime behavior of scripts to expose malicious codes.
Microsoft SQL Servers Keep Getting Exposed
As stated earlier, the MSSQL servers have been attacked more than once this year. In February, security researchers warned that vulnerable MISSQL Servers were being targeted by hackers as part of the campaign to deploy the Cobalt Strike tool on affected hosts.
“Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, South Korean cybersecurity firm ASEC warned at the time.
The Cobalt Strike penetration testing framework enables threat actors to deploy an agent on the targeted system, giving them remote access to the affected system. An already cracked version of the software has been seen actively being used by several threat actors in the wild. According to ASEC, the intrusions involved scanning port 1433 to verify the exposed MSSQL server to carry out brute force attacks. In most cases, the hackers find it easier to compromise servers on the internet. Even those not accessible over the internet are also vulnerable, but they are less likely to be exposed.
How Admins Can Defend Their Servers
Microsoft has also provided a piece of advice to help admins defend against the attacks. They have been asked not to expose the servers to the internet to prevent making them targets of attacks. They should also place the server behind a firewall and use a strong admin password that cannot be brute-forced or guessed.
Also, Microsoft has advised the admins to apply the latest security updates to minimize the chance of an attack and prevent attacks that take advantage of known vulnerabilities. Admins should also enable login to monitor for unexpected or suspicious activity or a reoccurring attempt.