Microsoft issued a warning about brute-force attacks employing weak passwords on Internet-exposed and inadequately protected Microsoft SQL Server (MSSQL) database servers. While this is not the first time MSSQL servers have been attacked, Redmond claims that the threat actors behind this operation are employing the genuine sqlps.exe program as a LOLBin (short for living-off-the-land binary).
“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” revealed the Microsoft Security Intelligence team. “The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners.”
Attackers can run PowerShell commands without worrying about defenders noticing their malicious actions by using sqlps, a software offered with Microsoft SQL Server that allows loading SQL Server cmdlets as a LOLBin. As sqlps is an excellent means to evade Script Block Logging, a PowerShell functionality that would otherwise report cmdlet activities to the Windows event log, it also helps guarantee that they don’t leave any traces when studying their attacks.
In March, similar cyberattacks against MSSQL servers were detected, with Gh0stCringe (aka CirenegRAT) remote access trojans (RATs) being used. Threat actors used the Microsoft SQL xp_cmdshell command to hack MSSQL servers in a previous campaign in February to distribute Cobalt Strike beacons. However, MSSQL servers have been targeted for years as part of large-scale operations in which hostile actors seek to take control of thousands of susceptible servers every day for various purposes.
Threat actors backdoored around 2,000 to 3,000 servers with RATs after brute-forcing publicly exposed servers to deploy Monero (XMR) and Vollar (VDS) cryptominers in one such string of cyberattacks (named Vollgar) that lasted over two years. Administrators should not expose their MSSQL servers to the Internet, use a strong admin password that cannot be guessed or brute-forced, and put the server behind a firewall to protect it from such attacks.
To protect their MSSQL servers from such cyberattacks, administrators should not expose them to the Internet. You must also:
- Put the server behind a firewall and use a strong admin password that can’t be readily guessed or brute-forced.
- Enable logging to keep an eye on suspicious or unusual activities and recurrent login attempts.
- Apply the most recent security updates to reduce the attack surface and prevent attacks that leverage known vulnerabilities.