Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper

Microsoft has warned organizations of a new wave of brute force cyberattacks that target SQL servers and use a rather uncommon living-off-the-land binary (LOLBin).

Specifically, the attackers rely on a legitimate utility called sqlps.exe to achieve fileless persistence on SQL servers that use weak or default passwords.

Microsoft has warned organizations of a new wave of brute force cyberattacks that target SQL servers and use a rather uncommon living-off-the-land binary (LOLBin).

Specifically, the attackers rely on a legitimate utility called sqlps.exe to achieve fileless persistence on SQL servers that use weak or default passwords.

According to Microsoft, sqlps.exe, a PowerShell wrapper that supports the execution of SQL-built cmdlets, allows the attackers to run recon commands and to modify the start mode of the SQL service to LocalSystem.

The use of a legitimate tool also enables the attackers to keep their malicious activity hidden from detection tools and it also hinders forensic analysis.

“Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny,” Microsoft Security Intelligence warned on Twitter.

As part of the observed attacks, sqlps.exe is also used to create a new account with sysadmin privileges, which is then used to take over the compromised SQL server.

“They then gain the ability to perform other actions, including deploying payloads like coin miners,” Microsoft said.

The tech giant also points out that the use of this uncommon LOLBin shows that keeping track of the runtime behavior of all scripts can help identify malicious code.

Advertisement. Scroll to continue reading.

Organizations can mitigate the risks associated with brute force attacks by using strong and unique credentials, monitoring for compromised usernames and passwords, enabling logging, monitoring the environment for suspicious activity, implementing proper conditional access policies, employing enterprise detection tools, and keeping all software updated.

Related: National Cybersecurity Agencies Describe Commonly Used Initial Access Techniques

Related: Gh0stCringe RAT Targeting Database Servers in Recent Attacks

Related: Vollgar Campaign Targets MS-SQL Servers With Backdoors, Crypto-Miners

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.