Brute-Force Hacking Campaign Targets Microsoft SQL Servers

April 02, 2020 - Hackers are brute-force attacking vulnerable Microsoft SQL (MSSQL) servers to deploy backdoors that install crytominers and remote access trojans (RATs), racking up thousands of servers each day, including those in the US health sector, according to new research from Guardicore Labs.

The attack method is not new, having first been spotted in the wild in May 2018. Researchers have dubbed the campaign Vollgar, due to its installation of the Vollar cryptocurrency it mines on victim machines and its “offensive, vulgar behavior.”

Guardicore’s Global Sensors Network (GGSN), a network of high-interaction honeypots, have tracked the campaign over the course of two years and found the attack flow has remained constant: well-planned, thorough, and noisy. The attack peaked again in December, which prompted researchers to more closely monitor the attacks to determine the impact.

The hacking campaign targets MS-SQL servers exposed to the internet that are secured with weak credentials. Guardicore explained that the campaign continues to infect about 2,000 to 3,000 database machines each day in a range of sectors.

Hackers begin by targeting MS-SQL with brute force login attempts. Guardicore explained that once an attacker gains access to the victims’ servers, they perform a series of configuration changes to the database to allow for future command execution.

READ MORE: Microsoft Shares Health Sector COVID-19 Ransomware Insights

After changing those settings, the hacker will perform a series of actions to “make the system as out-of-the-box as possible,” such as validating certain COM classes are available to support both WMI scripting and command execution through MS-SQL that are later used to download the first malware binary.

“Planning ahead, the attacker sets multiple backdoor users on the machine – both in the MS-SQL database context and in that of the operating system. In both cases, the users are added to the administrators group to ‘arm’ them with elevated privileges,” researchers explained.

“The Vollgar attack chain demonstrates the competitive nature of the attacker, who diligently and thoroughly kills other threat actors’ processes,” researchers wrote. “Being the only attacker on a machine is powerful – your malware gets the most resources, such as bandwidth and CPU power, and access is valid only through your backdoors.”

The hackers put in serious effort to both eliminate other threat actors’ activity and remove traces of them from the victims’ machines. The hackers also remove many values from the Image File Execution Options, typically used to attach a certain process like a debugger to other executables.

They also exploit this functionality in order to install malicious processes and system executables. And “by deleting these values, Vollgar ensures that no other malware is attached to legitimate processes, such as cmd.exe, ftp.exe, net.exe and Windows scripting hosts such as wscript.exe and cscript.exe.”

READ MORE: FBI Again Alerts to Kwampirs Malware Supply Chain Cyberattacks

Next, the attackers will write three separate downloader scripts – two VBScripts downloading over HTTP and one FTP script, an effort researchers said is designed to prepare for possible failures – “unusual among other attack groups, who often look for the fastest route to their goal.”

The campaign originated from more than 120 IP addresses, primarily from China.

“These are most likely compromised machines, repurposed to scan and infect new victims,” researchers explained. “While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.”

“By analyzing the attacker’s log files, we were able to obtain information on the compromised machines,” they continued. “With regards to infection period, the majority (60 percent) of infected machines remained such for only a short period of time. However, almost 20 percent of all breached servers remained infected for more than a week and even longer than two weeks.”

The data shows the success of the attack in hiding its presence and bypassing mitigations, including antivirus and endpoint detection tools. Researchers also mused that it could also be likely these victim servers aren't using these security tools in the first place.

READ MORE: COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

Further, 10 percent of these victims we re-infected by malware, where a system administrator potentially removed the initial malware and then was hit with another malicious infection. Researches explained this element has been seen in previous analyses, and “suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”

Lastly, Guardicore noted the Vollgar infrastructure is based on abused domain names and shell companies and is used by the hackers to host malicious payloads and operate the campaign’s command-and-control bases.

“The attacker freely uses internet services which are ripe for abuse; the domain vollar.ga uses the .ga top-level domain (TLD), which can be registered for free,” researchers wrote. “Like many other free TLDs, .ga is wildly abused by malware providers.”

To mitigate the threat, researchers stressed that the threat actors are targeting internet-facing Windows machines. Guardicore has created an open source Powershell script to detect Vollgar’s tracks and indicators of compromise.

Further, IT teams should ensure database servers aren’t exposed to the internet, while establishing accessibility to specific machines within the enterprise using segmentation and whitelist access policies. Guardicore also recommended enabling logging in, which will allow for monitoring and alerts on suspicious, unexpected or recurring login attempts.

Lastly, outgoing communications to such destinations must be blocked. If an infection is detected, it should be immediately quarantined to prevent it from accessing other network assets. As always, strong credentials should be employed to prevent re-infection and other brute-force attacks.

“There are a vast number of attacks targeting MS-SQL servers. However, there are only about half-a-million machines running this database service,” researchers explained. “This relatively small number of potential victims triggers an inter-group competition over control and resources: these virtual fights can be seen in many of the recent mass-scale attacks.”

“Unfortunately, oblivious or negligent registrars and hosting companies are part of the problem, as they allow attackers to use IP addresses and domain names to host whole infrastructures,” they concluded. “If these providers continue to look the other way, mass-scale attacks will continue to prosper and operate under the radar for long periods of time.”