Thursday, December 7, 2023

Windows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on Servers

Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.

Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.

This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.

Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.

Shockingly, this Vollgar campaign attacking nearly 3, 000 MS-SQL server daily, and the victims belong to various sectors such as healthcare, aviation, IT & telecommunications and higher education from India, U.S, Turkey, South Korea.

“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.

Another interesting fact of this campaign is that the 60% of infected machines remain a short-living period of time and the 20 % of an attack on MS-SQL server remain infected for a long period of a week or more than 2 weeks and 10% of victims are reinfected again and again even after the malware removed by the system admins.

Vulgar Campaign on MS-SQL Server Infection Flaw & Infrastructure

The campaign has started with the powerful brute force login attempts on MS-SQL servers, as the result of successful attempts will let them moved ahead to perform various alterations in the configuration that creates a possibility to execute arbitrary commands.

During the period of attack, actors added a feature that eliminates the other actors of the targeted system and ensuring their only presence and gets the most resources, such as bandwidth and CPU power.

To avoid the failed attempts, actors written two VB scripts including one FTP script that can be downloaded over HTTP and the downloaders are executed from a different location each time.

Researchers gathered multiple pieces of evidence that show the main CNC server originated from China and 10 different backdoor’s are used to access the system, read the files, performing the registry modification, download and execute the scripts.

According to Guardicore report ” we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP. “

Implanting Multiple RAT Modules in MS-SQL Server

There are two initial Droppers ( SQLAGENTIDC.exe or SQLAGENTVDC.exe ) that were used to kill the several long listing processes ( Rnaphin.exexmr.exe, and winxmr.exe ) using taskkill to gain the more computer resource by eliminates the competitors.

Attack Flaw (Source: Guardicore)

Later, the loader executes its copy that connects to the C2 server and checking the new process and queries Baidu Maps to obtain the victim’s IP and geolocation and send the collected details. 

Infection flaw drops the few more additional payloads that are RAT modules and an XMRig-based crypto miner on the victim’s machine.

RAT modules are using different ports including 222519383 and 3213 to connect the C2 Server to eliminates the redundancy and down.

Thus, Threat actors  mining both Monero and an alt-coin named VDS, or Vollar which is combining elements of Monero and Ethereum.

Network admins are encourage to not expose MS-SQL database servers to the internet and enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts.

You can share your thoughts about the article via  Twitter,  Facebook and Linkedin page also get the Daily cyber security & hacking news updates.


Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles