Attack campaign hits thousands of Microsoft SQL servers for two years
- 02 April, 2020 07:47
In December, security researchers noticed an uptick in brute-force attacks against publicly exposed Microsoft SQL servers.
It turns out the attacks go as far back as May 2018 and infect on average a couple thousand database servers every day with remote access Trojans (RATs) and cryptominers.
Researchers from Guardicore Labs have dubbed the ongoing campaign Vollgar and traced it back to China. The scans and attacks originate from Chinese IP addresses -- likely associated with infected and hijacked machines -- and the command-and-control (C&C) servers are also hosted in China and uses Chinese language for their web-based management interfaces.
The infected MS SQL servers belong to organisations from various sectors, including healthcare, aviation, IT, telecommunications and education, with many located in China, India, US, South Korea and Turkey.
"With regards to infection period, the majority (60 per cent) of infected machines remained such for only a short period of time," the researchers said in a report released today.
"However, almost 20 per cent of all breached servers remained infected for more than a week and even longer than two weeks. This proves how successful the attack is in hiding its tracks and bypassing mitigations such as anti-viruses and EDR products. Alternatively, it is very likely that those do not exist on servers in the first place."
Infection and reinfection
Guardicore has seen an infection rate of between 2,000 to 3,000 machines daily, which is significant given that there are only around half-a-million MS-SQL servers on the internet -- a small number compared to other types of database servers.
What's even more surprising is that 10 per cent of systems become reinfected, which suggests administrators tried to clean the malware but missed some components or failed to change the weak credentials that led to the compromise in the first place.
The infections resulting from this campaign are thorough and have multiple components. The attackers are also aggressive in removing malware belonging to other competitors from the machines.
Once they gain access to a database server, attackers make configuration changes to enable WMI scripting and command execution through MS-SQL, features that might have been disabled by the administrator. They also ensure that cmd.exe, ftp.exe and other important binaries are executable and they proceed to add backdoor administrative accounts to both the database and the operating system.
The infection process involves clearing several registry keys that could be used by pre-existing malware to start automatically on system reboot or to attach itself to legitimate executables.
The deployed payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, also scan the running processes for known malware and kill it. They then download multiple remote access modules and a cryptocurrency mining program based on XMRig.
The remote access modules contact the command-and-control domain on different ports, including 22251, 9383 and 3213. The researchers believe this is done for redundancy purposes in case one of the servers that make up the malware's infrastructure goes down.
"We found two C&C platforms used by the attacker," the researchers said. "These two platforms were developed by different vendors, but offer a similar variety of remote control capabilities to the attacker who controls them: downloading files, installing new Windows services, key-logging, screen capturing, running an interactive shell terminal, activating the camera and the microphone, initiating a DDoS attack, and more."
The cryptomining component uses the server's CPU resources to mine for Monero and another cryptocoin named VDS, or Vollar -- hence the name of the campaign. The CNC domain also uses the coin's name under a free TLD.
Mitigation for the Vollgar attack
Organisations should always assess whether their database servers -- or any servers -- really need to be exposed directly to the internet. If that can't be avoided, they should be protected with access control lists and strong access credentials that cannot be easily guessed. Enabling brute-force protection through rate limiting for failed authentication attempts is also recommended.
Guardicore Labs has published the indicators of compromise associated with this campaign on GitHub, as well as a PowerShell script that can be used to thoroughly scan a system for artefacts of a Vollgar infection.
The primary goal of this attack seems to be cryptocurrency mining, a method of abusing enterprise servers that has been increasingly popular and profitable over the past few years, but attackers also have the capability to do much more through the deployed RAT modules.
"What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold," the researchers said. "These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force."