Brute-force attacks targeting MSSQL servers, Microsoft warns

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposed Microsoft SQL Server databases.

The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:

"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.

Image

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Servers targeted

In other words, the attackers are using the sqlps.exe tool, which is a legitimate program, and not malware, as a Living Off The Land Binary (LOLBin).

"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners."

Sqlps is a tool that comes bundled with Microsoft SQL Server, and allows users to load SQL Server cmdlets. Bleeping Computer claims that by using the tool as a LOLBin, attackers can run PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions. 

What’s more, the tool leaves almost no traces, as it bypasses Script Block Logging. 

System administrators can do a number of things to defend their premises from such attacks, first and foremost - by not exposing them to the internet. In case the database must be online, the second-best solution is a strong password that can’t be guessed, or brute-forced. That means, having a password with at least eight characters, both uppercase and lowercase, as well as numbers, and symbols. 

Also, admins are advised to place the server behind a firewall.

Finally, they can enable logging and keep an eye out for suspicious or unexpected activity, or recurring login attempts. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.