New campaign to hack MS-SQL servers uncovered

Opinion by Rene Millman

Around 3,000 systems infected daily by a newly discovered campaign to infect Microsoft SQL servers with data-stealing malware and Monero cryptomining code.

A newly discovered campaign to infect Microsoft SQL servers with data-stealing malware and Monero cryptomining code is believed to have started as far back as 2018.

According to by security researchers at Guardicore Labs, the campaign, called “Vollgar,” saw hackers use brute force password methods to breach MS-SQL hosts.

Hackers then deployed multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. Researchers said that the victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

Researchers added that the MS-SQL servers exposed to the internet had weak credentials and this might explain how this campaign has managed to infect around 3,000 machines daily.

Researchers traced the campaign back to over 120 IP addresses, the vast majority of which are in China. 

“These are most likely compromised machines, repurposed to scan and infect new victims. While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months,” said researchers in a blog post.

Analysis of log files found that with regards to infection period, the majority (60 percent) of infected machines remained such for only a short period of time. Researchers also noted that almost one in five of all breached servers remained infected for more than a week and even longer than two weeks. 

“This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products. Alternatively, it is very likely that those do not exist on servers in the first place,” said researchers.

It was also found that 10 percent of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again.

Michael Barragry, operations lead at edgescan, told SC Media UK that there is no excuse for leaving any database service completely exposed on the public internet.

“There should be at least a firewall or IP-restriction in place to limit connection attempts to known and trusted sources,” he said.

“These services may have been accidentally exposed due to human error, or simply forgotten about during a test deployment. While it can be difficult to keep tabs on what ports and services are exposed to the internet, there are a number of tools and services that can be used to assist here, such as regular nmap sweeps. Knowing your external infrastructure is an integral part of security and it's a growing problem, especially for large enterprises that have perhaps acquired several smaller businesses and inherited their infrastructure.”

Chris Bates, VP for security strategy at SentinelOne, told SC Media UK that the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, and “to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control and network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews