Sunday, December 8, 2024
HomeCyber Security NewsNew Malware Compromised Hundreds of Microsoft SQL Servers

New Malware Compromised Hundreds of Microsoft SQL Servers

Published on

SIEM as a Service

There has been a discovery of a new type of malware by security researchers named, Maggie, which targets Microsoft SQL servers. Around the world, hundreds of computers have already become infected with the Maggie backdoor.

Maggie is controlled by SQL queries that are executed on the database. Microsoft SQL server admin logins can be hacked, and duplication can be done as a bridge with the network environment of the server.

Heatmap of Maggie

The cybersecurity analysts, Johann Aydinbas and Axel Wauer of the DCSO CyTec were responsible for discovering the backdoor. Maggie has been detected more frequently in the countries listed below, based on the telemetry data:-

- Advertisement - SIEM as a Service
  • South Korea
  • India
  • Vietnam
  • China
  • Russia
  • Thailand
  • Germany
  • The United States

In order for Maggie to operate successfully, it can masquerade itself as a DLL extension which sports an Extended Stored Procedure signature that is signed by a South Korean company, DEEPSoft Co. Ltd.

Commands used by Maggie

With an API, extended stored procedures can be enhanced to provide more functionality when running SQL queries. While this API accepts the:-

  • Remote user arguments
  • Responds with unstructured data

Through a series of 51 commands, remote access is possible to the backdoor. And here below in the image, you can see all those 51 commands:-

Maggie is capable of performing a wide range of actions with the help of commands, such as:-

  • Information about the system can be requested.
  • Run or execute programs.
  • Add a hardcoded backdoor operator account.
  • Files and folders can be accessed and interacted with.
  • Set up port forwarding.
  • Enables Remote Desktop Services.
  • Choose an administrator password.
  • The SOCKS5 proxy can be used to route all network packets and thus make the backdoor invisible, making it difficult to detect.

Maggie even offers usage instructions for some of these supported arguments, in the case where the attackers are able to append arguments to these commands.

A total of four Exploit commands are also included in the command list. It’s a clear indication that certain actions, such as adding a new user, may be reliant on known vulnerabilities to be performed by the attacker.

After specifying a password list file and a thread count, a brute force attack on admin passwords is conducted by executing the following commands:-

  • SqlScan
  • WinSockScan

Network Bridge

A TCP redirection feature is also provided by the malware. The infected MS-SQL server can thus be accessed remotely from any IP address accessible by the attacker. 

Maggie will redirect any incoming connections to the specified IP address and port if this feature is enabled in the system. Currently, there is some information that is not yet known, such as:-

  • The operators behind this attack
  • How Maggie is used after infection?
  • How it’s injected into servers?

What’s most significant is that the threat has already been identified by the researchers and IOCs have been shared. However, the cybersecurity experts have affirmed that they will continue their investigation to find the answers for the above mentioned questions.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...