Microsoft has warned organizations of a new wave of brute force cyberattacks that target SQL servers and use a rather uncommon living-off-the-land binary (LOLBin).
Specifically, the attackers rely on a legitimate utility called sqlps.exe to achieve fileless persistence on SQL servers that use weak or default passwords.
According to Microsoft, sqlps.exe, a PowerShell wrapper that supports the execution of SQL-built cmdlets, allows the attackers to run recon commands and to modify the start mode of the SQL service to LocalSystem.
The use of a legitimate tool also enables the attackers to keep their malicious activity hidden from detection tools and it also hinders forensic analysis.
“Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny,” Microsoft Security Intelligence warned on Twitter.
As part of the observed attacks, sqlps.exe is also used to create a new account with sysadmin privileges, which is then used to take over the compromised SQL server.
“They then gain the ability to perform other actions, including deploying payloads like coin miners,” Microsoft said.
The tech giant also points out that the use of this uncommon LOLBin shows that keeping track of the runtime behavior of all scripts can help identify malicious code.
Organizations can mitigate the risks associated with brute force attacks by using strong and unique credentials, monitoring for compromised usernames and passwords, enabling logging, monitoring the environment for suspicious activity, implementing proper conditional access policies, employing enterprise detection tools, and keeping all software updated.
Related: National Cybersecurity Agencies Describe Commonly Used Initial Access Techniques
Related: Gh0stCringe RAT Targeting Database Servers in Recent Attacks
Related: Vollgar Campaign Targets MS-SQL Servers With Backdoors, Crypto-Miners
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
