{"id":778,"date":"2020-04-18T07:41:39","date_gmt":"2020-04-18T06:41:39","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=778"},"modified":"2020-04-18T07:48:11","modified_gmt":"2020-04-18T06:48:11","slug":"hackers-install-backdoor-mssql-hacking","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/hackers-install-backdoor-mssql-hacking\/","title":{"rendered":"WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers"},"content":{"rendered":"

hackers: mssql-hacking : Cybersecurity researchers today uncovered a sustained malicious campaign dating back to May 2018 that targets<\/p>\n

Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware,<\/p>\n

including multi-functional remote access tools (RATs) and cryptominers. hackers<\/p>\n

Named “Vollgar<\/b>” after the Vollar cryptocurrency it mines and its offensive “vulgar” modus operandi, : mssql-hacking: hackers<\/p>\n

researchers at\u00a0Guardicore Labs\u00a0said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet.<\/p>\n

Researchers claim the attackers managed to successfully infect nearly 2,000-3,000 database servers daily over the past few weeks,<\/p>\n

with potential victims belonging to healthcare, aviation, IT & telecommunications, and higher education sectors across China, India, the US, South Korea, and Turkey.<\/p>\n

\"hackers\"<\/a><\/div>\n

Thankfully for those concerned, researchers have also\u00a0released a script\u00a0to let sysadmins detect<\/p>\n

if any of their Windows MS-SQL servers have been compromised with this particular threat.<\/p>\n

hackers:mssql-hacking : Vollgar Attack Chain: MS-SQL to System Malware<\/h4>\n

The Vollgar attack starts off with brute-force login attempts on\u00a0MS-SQL servers, which, when successful, allows<\/p>\n

the interloper to execute a number of configuration changes to run malicious MS-SQL commands and download malware binaries.<\/p>\n

“Attackers [also] validate that certain COM classes are available – WbemScripting.SWbemLocator,<\/p>\n

Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). :mssql-hacking<\/p>\n

These classes support both WMI scripting and command execution through MS-SQL,<\/p>\n

which will be later used to download the initial malware binary,” the researchers said.<\/p>\n

\"hackers\"<\/a><\/div>\n

Aside from ensuring that cmd.exe and ftp.exe executables have the necessary execute permissions,<\/p>\n

the operator behind Vollgar also creates new backdoor users to the MS-SQL database as well as on the operating system with elevated privileges.<\/p>\n

Upon completion of the initial setup, the attack proceeds to create downloader scripts (two VBScripts and one FTP script), hackers<\/p>\n

which are executed “a couple of times,” each time with a different target location on the local file system to avert possible failures.<\/p>\n

One of the initial payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, first proceeds to kill a long list of processes with<\/p>\n

the goal of securing the maximum amount of system resources as well as eliminate other threat actors’<\/p>\n

activity and remove their presence from the infected machine. :hackers<\/p>\n

Furthermore, it acts as a dropper for different RATs and an XMRig-based crypto-miner<\/p>\n

that mines Monero and an alt-coin called VDS or Vollar. :mssql-hacking<\/p>\n

Attack Infrastructure Hosted On Compromised Systems<\/h2>\n

Guardicore said attackers held their entire infrastructure on compromised machines, :mssql-hacking<\/p>\n

including its primary command-and-control server located in China, which, ironically,<\/p>\n

was found compromised by more than one attack group.<\/p>\n

“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges,<\/p><\/blockquote>\n

brute-forcing the targeted database, and executing commands remotely,” the cybersecurity firm observed. :hackers<\/p><\/blockquote>\n

 <\/p>\n

“In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS),<\/p>\n

Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”<\/p><\/blockquote>\n

 <\/p>\n

\"hackers\"<\/a><\/div>\n

Once an infected Windows client pings the C2 server, the latter also receives a variety of details about the machine,<\/p>\n

such as its public IP, location, operating system version, computer name, and CPU model.<\/p>\n

Stating that the two C2 programs installed on the China-based server were developed by two different vendors, :mssql-hacking<\/p>\n

Guardicore said there are similarities in their remote control capabilities \u2014 namely downloading files, installing new Windows services,<\/p>\n

keylogging, screen capturing, activating the camera and microphone, and even initiating a Distributed Denial-of-Service (DDoS) attack.<\/p>\n

Use Strong Passwords to Avoid Brute-Force Attacks<\/h2>\n

With about half-a-million machines running MS-SQL database service, : mssql-hacking<\/p>\n

the campaign yet another indication that attackers going after poorly protected database servers in an attempt to siphon sensitive information.<\/p>\n

“These machines possibly store personal information such as usernames, passwords, credit card numbers, etc.,<\/p>\n

which can fall into the attacker’s hands with only a simple brute-force.”<\/p>\n

 <\/p>\n

You May Also like to read<\/p>\n

http:\/\/zerothcode.com\/blog\/wi-fi-vulnerability-affects-billion\/<\/a><\/p>\n

http:\/\/zerothcode.com\/blog\/hacking-magecart-inject-skimmers\/<\/a><\/p>\n

Have something to say about this article? Comment below or share it with us on\u00a0Facebook<\/a>,\u00a0Twitter<\/a>\u00a0or our\u00a0LinkedIn Group<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

hackers: mssql-hacking : Cybersecurity researchers today uncovered a sustained malicious campaign dating back to May 2018 that targets Windows machines<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[407,209,960,168,968,962,957,69,961,965,958,969,966,394,963,389,123,936,964,967],"class_list":["post-778","post","type-post","status-publish","format-standard","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=778"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/778\/revisions"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=778"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}