Around 3,000 systems are being infected daily it is claimed by a newly discovered campaign to infect Microsoft SQL servers with data-stealing malware and Monero crypto mining code.
Microsoft SQL servers
The newly discovered campaign to infect Microsoft SQL servers with data-stealing malware and Monero crypto mining code is believed to have started as far back as 2018.
Security researchers at Guardicore Labs, outlined that the campaign, called “Vollgar,” saw hackers use ‘brute force’ password techniques to penetrate MS-SQL hosts.
Hackers then deployed multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners. Researchers said that the victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.
Researchers further added that the MS-SQL servers exposed to the internet had weak credentials and this might explain how this campaign has managed to infect around 3,000 machines daily.
Researchers traced the campaign back to over 120 IP addresses, the vast majority of which are in China.
“These are most likely compromised machines, repurposed to scan and infect new victims. While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months,” added researchers.
Analysis of log files found that with regards to infection period, the majority (60 percent) of infected machines remained such for only a short period of time. It was also noted that almost one in five of all breached servers remained infected for more than a week and even longer than two weeks.
“This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products. Alternatively, it is very likely that those do not exist on servers in the first place,” it was claimed.
It was also found that 10 percent of the victims were re-infected by the malware; the system administrator may have removed the malware, and then got hit by it again.
Michael Barragry, operations lead at Edgescan, explained that there is no excuse for leaving any database service completely exposed on the public internet.
“There should be at least a firewall or IP-restriction in place to limit connection attempts to known and trusted sources,” he recommended.
“These services may have been accidentally exposed due to human error, or simply forgotten about during a test deployment. While it can be difficult to keep tabs on what ports and services are exposed to the internet, there are a number of tools and services that can be used to assist here, such as regular nmap sweeps. Knowing your external infrastructure is an integral part of security and it’s a growing problem, especially for large enterprises that have perhaps acquired several smaller businesses and inherited their infrastructure.”
Chris Bates, VP for security strategy at SentinelOne, commented that the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, and “to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control and network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers”.