Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposed Microsoft SQL Server databases.
The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:
"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
Servers targeted
In other words, the attackers are using the sqlps.exe tool, which is a legitimate program, and not malware, as a Living Off The Land Binary (LOLBin).
"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners."
Sqlps is a tool that comes bundled with Microsoft SQL Server, and allows users to load SQL Server cmdlets. Bleeping Computer claims that by using the tool as a LOLBin, attackers can run PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions.
What’s more, the tool leaves almost no traces, as it bypasses Script Block Logging.
System administrators can do a number of things to defend their premises from such attacks, first and foremost - by not exposing them to the internet. In case the database must be online, the second-best solution is a strong password that can’t be guessed, or brute-forced. That means, having a password with at least eight characters, both uppercase and lowercase, as well as numbers, and symbols.
Also, admins are advised to place the server behind a firewall.
Finally, they can enable logging and keep an eye out for suspicious or unexpected activity, or recurring login attempts.
Via: BleepingComputer