Microsoft has warned against brute-force attacks targeting poorly secured and Internet-exposed Microsoft SQL Server (MSSQL) database servers, by targeting weak passwords.
The brute-force attacks
- The attackers behind this campaign are abusing legitimate sqlps[.]exe tools as a Living-Off-the-Land Binary (LOLBin).
- They are using sqlps[.]exe utility (a PowerShell wrapper to run SQL-built cmdlets) to execute recon commands and change the start mode of the SQL service to LocalSystem.
- Further, the attackers use sqlps[.]exe to create a new account added for the sysadmin role to take full control of the SQL server.
sqlps used to avoid detection
- The sqlps utility comes with Microsoft SQL Server and enables loading of SQL Server cmdlets (as a LOLBin), allowing execution of PowerShell commands without being detected, thus, providing fileless persistence.
- Moreover, sqlps can bypass Script Block Logging, a PowerShell feature that logs cmdlet operations to Windows event log, thus avoiding detection.
Recent attacks
Such attacks on SQL Server are not new.
- In the Kingminer botnet attack, attackers leveraged an SQL exploit to create an obfuscated PowerShell command.
- In March, multiple attacks compromised MSSQL servers to deploy Gh0stCringe (aka CirenegRAT) malware.
- In February, attackers compromised MSSQL servers to drop Cobalt Strike beacons with SQL xp_cmdshell command.
Protection
To protect MSSQL servers, admins are suggested not to expose their servers to the internet, use a strong admin password, and make sure to place the server behind a firewall for robust security. Further, it is recommended to monitor for a suspicious or unknown activity or repeated login attempts.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d222_shutterstock_1023904483.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/70ba_shutterstock_1784745800.jpg)
