Friday, March 29, 2024

Windows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on Servers

Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.

Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.

This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.

Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.

Shockingly, this Vollgar campaign attacking nearly 3, 000 MS-SQL server daily, and the victims belong to various sectors such as healthcare, aviation, IT & telecommunications and higher education from India, U.S, Turkey, South Korea.

“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.

Another interesting fact of this campaign is that the 60% of infected machines remain a short-living period of time and the 20 % of an attack on MS-SQL server remain infected for a long period of a week or more than 2 weeks and 10% of victims are reinfected again and again even after the malware removed by the system admins.

Vulgar Campaign on MS-SQL Server Infection Flaw & Infrastructure

The campaign has started with the powerful brute force login attempts on MS-SQL servers, as the result of successful attempts will let them moved ahead to perform various alterations in the configuration that creates a possibility to execute arbitrary commands.

During the period of attack, actors added a feature that eliminates the other actors of the targeted system and ensuring their only presence and gets the most resources, such as bandwidth and CPU power.

To avoid the failed attempts, actors written two VB scripts including one FTP script that can be downloaded over HTTP and the downloaders are executed from a different location each time.

Researchers gathered multiple pieces of evidence that show the main CNC server originated from China and 10 different backdoor’s are used to access the system, read the files, performing the registry modification, download and execute the scripts.

According to Guardicore report ” we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP. “

Implanting Multiple RAT Modules in MS-SQL Server

There are two initial Droppers ( SQLAGENTIDC.exe or SQLAGENTVDC.exe ) that were used to kill the several long listing processes ( Rnaphin.exexmr.exe, and winxmr.exe ) using taskkill to gain the more computer resource by eliminates the competitors.

Attack Flaw (Source: Guardicore)

Later, the loader executes its copy that connects to the C2 server and checking the new process and queries Baidu Maps to obtain the victim’s IP and geolocation and send the collected details. 

Infection flaw drops the few more additional payloads that are RAT modules and an XMRig-based crypto miner on the victim’s machine.

RAT modules are using different ports including 222519383 and 3213 to connect the C2 Server to eliminates the redundancy and down.

Thus, Threat actors  mining both Monero and an alt-coin named VDS, or Vollar which is combining elements of Monero and Ethereum.

Network admins are encourage to not expose MS-SQL database servers to the internet and enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts.

You can share your thoughts about the article via  Twitter,  Facebook and Linkedin page also get the Daily cyber security & hacking news updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles