16th May 2024
Latest:

ZEROTHCODE

zerothcode blog

Hackers News

WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers

Jaivik Patel

hackers: mssql-hacking : Cybersecurity researchers today uncovered a sustained malicious campaign dating back to May 2018 that targets

Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware,

including multi-functional remote access tools (RATs) and cryptominers. hackers

Named “Vollgar” after the Vollar cryptocurrency it mines and its offensive “vulgar” modus operandi, : mssql-hacking: hackers

researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet.

Researchers claim the attackers managed to successfully infect nearly 2,000-3,000 database servers daily over the past few weeks,

with potential victims belonging to healthcare, aviation, IT & telecommunications, and higher education sectors across China, India, the US, South Korea, and Turkey.

hackers

Thankfully for those concerned, researchers have also released a script to let sysadmins detect

if any of their Windows MS-SQL servers have been compromised with this particular threat.

hackers:mssql-hacking : Vollgar Attack Chain: MS-SQL to System Malware

The Vollgar attack starts off with brute-force login attempts on MS-SQL servers, which, when successful, allows

the interloper to execute a number of configuration changes to run malicious MS-SQL commands and download malware binaries.

“Attackers [also] validate that certain COM classes are available – WbemScripting.SWbemLocator,

Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). :mssql-hacking

These classes support both WMI scripting and command execution through MS-SQL,

which will be later used to download the initial malware binary,” the researchers said.

hackers

Aside from ensuring that cmd.exe and ftp.exe executables have the necessary execute permissions,

the operator behind Vollgar also creates new backdoor users to the MS-SQL database as well as on the operating system with elevated privileges.

Upon completion of the initial setup, the attack proceeds to create downloader scripts (two VBScripts and one FTP script), hackers

which are executed “a couple of times,” each time with a different target location on the local file system to avert possible failures.

One of the initial payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, first proceeds to kill a long list of processes with

the goal of securing the maximum amount of system resources as well as eliminate other threat actors’

activity and remove their presence from the infected machine. :hackers

Furthermore, it acts as a dropper for different RATs and an XMRig-based crypto-miner

that mines Monero and an alt-coin called VDS or Vollar. :mssql-hacking

Attack Infrastructure Hosted On Compromised Systems

Guardicore said attackers held their entire infrastructure on compromised machines, :mssql-hacking

including its primary command-and-control server located in China, which, ironically,

was found compromised by more than one attack group.

“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges,

brute-forcing the targeted database, and executing commands remotely,” the cybersecurity firm observed. :hackers

 

“In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS),

Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”

 

hackers

Once an infected Windows client pings the C2 server, the latter also receives a variety of details about the machine,

such as its public IP, location, operating system version, computer name, and CPU model.

Stating that the two C2 programs installed on the China-based server were developed by two different vendors, :mssql-hacking

Guardicore said there are similarities in their remote control capabilities — namely downloading files, installing new Windows services,

keylogging, screen capturing, activating the camera and microphone, and even initiating a Distributed Denial-of-Service (DDoS) attack.

Use Strong Passwords to Avoid Brute-Force Attacks

With about half-a-million machines running MS-SQL database service, : mssql-hacking

the campaign yet another indication that attackers going after poorly protected database servers in an attempt to siphon sensitive information.

“These machines possibly store personal information such as usernames, passwords, credit card numbers, etc.,

which can fall into the attacker’s hands with only a simple brute-force.”

 

You May Also like to read

http://zerothcode.com/blog/wi-fi-vulnerability-affects-billion/

http://zerothcode.com/blog/hacking-magecart-inject-skimmers/

Have something to say about this article? Comment below or share it with us on FacebookTwitter or our LinkedIn Group.

You May Also Like

QLKM Virus (.qlkm File) Ransomware — ✅Remove & Decrypt Files

Jaivik Patel
delegated-credentials-for-tls-website-security

Explained: How New ‘Delegated Credentials’ Boosts TLS Protocol Security

Jaivik Patel

Just An SMS Could Let Remote Attackers Access All Your Emails, Experts Warn

Jaivik Patel