Friday, January 24, 2025
HomeWindowsWindows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on...

Windows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on Servers

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.

Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.

This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.

Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.

Shockingly, this Vollgar campaign attacking nearly 3, 000 MS-SQL server daily, and the victims belong to various sectors such as healthcare, aviation, IT & telecommunications and higher education from India, U.S, Turkey, South Korea.

“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.

Another interesting fact of this campaign is that the 60% of infected machines remain a short-living period of time and the 20 % of an attack on MS-SQL server remain infected for a long period of a week or more than 2 weeks and 10% of victims are reinfected again and again even after the malware removed by the system admins.

Vulgar Campaign on MS-SQL Server Infection Flaw & Infrastructure

The campaign has started with the powerful brute force login attempts on MS-SQL servers, as the result of successful attempts will let them moved ahead to perform various alterations in the configuration that creates a possibility to execute arbitrary commands.

During the period of attack, actors added a feature that eliminates the other actors of the targeted system and ensuring their only presence and gets the most resources, such as bandwidth and CPU power.

To avoid the failed attempts, actors written two VB scripts including one FTP script that can be downloaded over HTTP and the downloaders are executed from a different location each time.

Researchers gathered multiple pieces of evidence that show the main CNC server originated from China and 10 different backdoor’s are used to access the system, read the files, performing the registry modification, download and execute the scripts.

According to Guardicore report ” we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP. “

Implanting Multiple RAT Modules in MS-SQL Server

There are two initial Droppers ( SQLAGENTIDC.exe or SQLAGENTVDC.exe ) that were used to kill the several long listing processes ( Rnaphin.exexmr.exe, and winxmr.exe ) using taskkill to gain the more computer resource by eliminates the competitors.

Attack Flaw (Source: Guardicore)

Later, the loader executes its copy that connects to the C2 server and checking the new process and queries Baidu Maps to obtain the victim’s IP and geolocation and send the collected details. 

Infection flaw drops the few more additional payloads that are RAT modules and an XMRig-based crypto miner on the victim’s machine.

RAT modules are using different ports including 222519383 and 3213 to connect the C2 Server to eliminates the redundancy and down.

Thus, Threat actors  mining both Monero and an alt-coin named VDS, or Vollar which is combining elements of Monero and Ethereum.

Network admins are encourage to not expose MS-SQL database servers to the internet and enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts.

You can share your thoughts about the article via  Twitter,  Facebook and Linkedin page also get the Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

Hackers Deliver Ransomware on Windows Via Microsoft Teams Voice Calls

Sophos X-Ops’ Managed Detection and Response (MDR) team has uncovered two highly active threat...

Microsoft Rolls Out New Administrator Protection Feature Under Windows Security

Microsoft has announced the release of Windows 11 Insider Preview Build 27774 to the...