Posted on April 2, 2020 at 3:39 PM
Security researchers have discovered a cyber attack campaign that deploys backdoors on Windows machine running MS-SQL. The researchers also stated that there were other malware deployed, such as cryptominers and multifunctional remote access tools (RATs).
Compromised systems host attack infrastructure
According to Guardicore, those behind the attack hosted their complete infrastructure on compromised systems, which includes its main China-based command-and-control server.
Interestingly, the researchers found that the server has been compromised by other attack groups as well.
The research team also discovered two CNC systems with GUI in Chinese, which is used to modify hash values of files. Besides, there was an executable mstsc.exe, Serv-U FTP server, and a portable HTTP file server. The mstsc.exe is utilized by the attacker when connecting victims over RDP.
When the compromised Windows client communicates to the C2 server, it gets several details about the system, including the CPU model, computer name, version of the operating system, its location, and public IP name
Guardicore revealed that two different vendors were responsible for the development of the C2 programs planted on the China-based server.
But the research team said their remote control system work in a similar fashion, as both of them, download files, install new Windows services, capture screen, and activate both the microphone and the camera. The activities of the two vendors follow these lines, but not in a particular order, Guardicore stated.
More than 2,000 databases infected
The security researchers revealed that over 2,000 database servers have been infected already within the past few weeks. The affected victims are from different sectors, including higher education, IT & telecommunications, aviation, and healthcare across Turkey, South Korea, India, and China.
However, to quell the attack, the researchers released a script, which will enable sysadmins to find out whether the hackers have compromised any of its Windows MS-SQL servers.
The attack is known as “Vollgar”, which is named after the Voller cryptocurrency it mines. Vollgar begins with a forceful login attempt on the MS-SQL server. If the attack pulls through, it gives access to the execution of several configuration changes, which downloads malware binaries and runs malicious MS-SQL commands.
The actors behind the attack also make sure that ftp.exe and cmd.exe executables have the proper permissions.
The attackers also ensure that certain classes of COM are ready; Windows ScriptHost Object Model (wshom), Microsoft.Jet.OLEDB.4.0, and WbemScripting.SWbemLocator.
The classes support both command execution and WMI scripting via MS-SQL, which are utilized for downloading the initial malware binary.
New MS-SQL backdoor established by attackers
Apart from making sure the ftp.exe and cmd.exe have the required permissions, the actors pushing Vollgar also establishes a new backdoor to the MS-SQL database where they can come back later to exploit.
After the first arrangement is complete, the attack goes ahead to set up downloader scripts (one FTP script and two VBScripts). The two scripts are usually executed several times, but with a new target location each time it’s executed to prevent any failures.
During the attack, one of the payloads, known as SQLAGENTVDC.exe, goes on to terminate several processes to secure the right level of system resources. It also takes down activities from other threat actors and completely wipes out their presence from the infected system.
Additionally, the attack is disguised as a dropper for XMRig-based cryptocurrency miner that mines Monero as well as all the altcoin called Vollar or VDS.
Protection against Brute-force attacks
Since more than 500,000 systems are running MS-SQL database service, most of the attacks have proven that the hackers are more interested in database servers with less stringent security measures. At least, these vulnerable servers make things easier for them.
Guardcore has advised users and organizations to make sure their MS-SQL servers online are properly protected with strong passwords that would be difficult to crack.
According to the researchers,
“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold.”
It further said that the machines keep personal information like credit card numbers, passwords, as well as usernames. If these credentials are not completely protected with a password, a simple brute-force can leave them vulnerable to the attackers, the researchers concluded.