Brute-force attacks targeting MSSQL servers, Microsoft warns
Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposed Microsoft SQL Server databases.
The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:
“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” the Microsoft Security Intelligence team revealed.
Servers targeted
In other words, the attackers are using the sqlps.exe tool, which is a legitimate program, and not malware, as a Living Off The Land Binary (LOLBin).
“The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners.”
Sqlps is a tool that comes bundled with Microsoft SQL Server, and allows users to load SQL Server cmdlets. Bleeping Computer claims that by using the tool as a LOLBin, attackers can run PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions.
What’s more, the tool leaves almost no traces, as it bypasses Script Block Logging.
System administrators can do a number of things to defend their premises from such attacks, first and foremost – by not exposing them to the internet. In case the database must be online, the second-best solution is a strong password that can’t be guessed, or brute-forced. That means, having a password with at least eight characters, both uppercase and lowercase, as well as numbers, and symbols.
Also, admins are advised to place the server behind a firewall.
Finally, they can enable logging and keep an eye out for suspicious or unexpected activity, or recurring login attempts.
Via: BleepingComputer
Audio player loading… Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposed Microsoft SQL Server databases. The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised: “The attackers achieve fileless persistence by spawning the sqlps.exe utility, a…
Recent Posts
- Amazfit’s new low-cost wearable packs in a big display and 26 days of battery life
- As Questions Swirl Around Tesla’s Superchargers, the Race Is On to Fill the Power Gap
- Asus won’t say if the ROG Ally’s SD card reader will ever be truly fixed
- Quordle today – hints and answers for Thursday, May 2 (game #829)
- NYT Strands today — hints, answers and spangram for Thursday, May 2 (game #60)
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011