In December, security researchers noticed an uptick in brute-force attacks against publicly exposed Microsoft SQL servers. It turns out the attacks go as far back as May 2018 and infect on average a couple thousand database servers every day with remote access Trojans (RATs) and cryptominers.
Researchers from Guardicore Labs have dubbed the ongoing campaign Vollgar and traced it back to China彩票信誉平台. The scans and attacks originate from Chinese IP addresses -- likely associated with infected and hijacked 彩票信誉平台 -- and the command-and-control (C&C) servers are also hosted in China彩票信誉平台 and uses Chinese language for their web-based management interfaces.
The infected MS SQL servers belong to organizations from various sectors, including healthcare, aviation, IT, telecommunications and education, with many located in China彩票信誉平台, India, US, South Korea and Turkey.
"With regards to infection period, the majority (60%) of infected 彩票信誉平台 remained such for only a short period of time," the researchers said in released today. "However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products. Alternatively, it is very likely that those do not exist on servers in the first place."
Infection and reinfection
Guardicore has seen an infection rate of between 2,000 to 3,000 彩票信誉平台 daily, which is significant given that there are only around half-a-million MS-SQL servers on the internet -- a small number compared to other types of database servers. What's even more surprising is that 10% of systems become reinfected, which suggests administrators tried to clean the malware but missed some components or failed to change the weak credentials that led to the compromise in the first place.
The infections resulting from this campaign are thorough and have multiple components. The attackers are also aggressive in removing malware belonging to other competitors from the 彩票信誉平台.
Once they gain access to a database server, attackers make configuration changes to enable WMI scripting and command execution through MS-SQL, features that might have been disabled by the administrator. They also ensure that cmd.exe, ftp.exe and other important binaries are executable and they proceed to add backdoor administrative accounts to both the database and the operating system.
The infection process involves clearing several registry keys that could be used by pre-existing malware to start automatically on system reboot or to attach itself to legitimate executables. The deployed payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, also scan the running processes for known malware and kill it. They then download multiple remote access modules and a cryptocurrency mining program based on XMRig.associated with this campaign on GitHub, as well as a PowerShell script that can be used to thoroughly scan a system for artefacts of a Vollgar infection.
The primary goal of this attack seems to be cryptocurrency mining, a method of abusing enterprise servers that has been increasingly popular and profitable over the past few years, but attackers also have the capability to do much more through the deployed RAT modules.
"What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold," the researchers said. "These 彩票信誉平台 possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force."