Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.
Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.
This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.
Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.
Shockingly, this Vollgar campaign attacking nearly 3, 000 MS-SQL server daily, and the victims belong to various sectors such as healthcare, aviation, IT & telecommunications and higher education from India, U.S, Turkey, South Korea.
“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.
Another interesting fact of this campaign is that the 60% of infected machines remain a short-living period of time and the 20 % of an attack on MS-SQL server remain infected for a long period of a week or more than 2 weeks and 10% of victims are reinfected again and again even after the malware removed by the system admins.
Vulgar Campaign on MS-SQL Server Infection Flaw & Infrastructure
The campaign has started with the powerful brute force login attempts on MS-SQL servers, as the result of successful attempts will let them moved ahead to perform various alterations in the configuration that creates a possibility to execute arbitrary commands.
During the period of attack, actors added a feature that eliminates the other actors of the targeted system and ensuring their only presence and gets the most resources, such as bandwidth and CPU power.
To avoid the failed attempts, actors written two VB scripts including one FTP script that can be downloaded over HTTP and the downloaders are executed from a different location each time.
Researchers gathered multiple pieces of evidence that show the main CNC server originated from China and 10 different backdoor’s are used to access the system, read the files, performing the registry modification, download and execute the scripts.
According to Guardicore report ” we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP. “
Implanting Multiple RAT Modules in MS-SQL Server
There are two initial Droppers ( SQLAGENTIDC.exe or SQLAGENTVDC.exe ) that were used to kill the several long listing processes ( Rnaphin.exe, xmr.exe, and winxmr.exe ) using taskkill to gain the more computer resource by eliminates the competitors.
Later, the loader executes its copy that connects to the C2 server and checking the new process and queries Baidu Maps to obtain the victim’s IP and geolocation and send the collected details.
Infection flaw drops the few more additional payloads that are RAT modules and an XMRig-based crypto miner on the victim’s machine.
RAT modules are using different ports including 22251, 9383 and 3213 to connect the C2 Server to eliminates the redundancy and down.
Network admins are encourage to not expose MS-SQL database servers to the internet and enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts.