Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposed Microsoft SQL Server databases.
The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:
"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed (opens in new tab).
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
In other words, the attackers are using the sqlps.exe tool, which is a legitimate program, and not malware, as a Living Off The Land Binary (LOLBin).
"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server (opens in new tab). They then gain the ability to perform other actions, including deploying payloads like coin miners."
Sqlps is a tool that comes bundled with Microsoft SQL Server, and allows users to load SQL Server cmdlets. Bleeping Computer claims that by using the tool as a LOLBin, attackers can run PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions.
What’s more, the tool leaves almost no traces, as it bypasses Script Block Logging.
System administrators can do a number of things to defend their premises from such attacks, first and foremost - by not exposing them to the internet. In case the database (opens in new tab) must be online, the second-best solution is a strong password that can’t be guessed, or brute-forced. That means, having a password with at least eight characters, both uppercase and lowercase, as well as numbers, and symbols.
Also, admins are advised to place the server behind a firewall (opens in new tab).
Finally, they can enable logging and keep an eye out for suspicious or unexpected activity, or recurring login attempts.