Microsoft published a security advisory about a brute-force campaign that targets internet-exposed and poorly secured SQL servers or MSSQL database servers. Based on the report provided by the company, the campaign has been targeting accounts with weak passwords to initiate attacks.
The threat actors operating this new brute-forcing campaign are exploiting a legitimate sqlps[.]exe tool as a LOLBin. They also use sqlps[.]exe utility to run reconnaissance commands and change the start mode of the SQL service to LocalSytem.
The utility used by the threat actors is a PowerShell wrapper that operates SQL-built cmdlets. Moreover, the adversaries utilise the [.]exe function to develop a new account attached to the sysadmin role to command the SQL Server fully.
The sqlps is also used to attack the SQL servers and bypass security detections of targeted devices.
Microsoft’s researchers also noticed that that sqlps for attacking the SQL servers could also aid in obfuscating the attacks. The tool helps the hackers to ensure that no trace of the attack will be left on the device, leaving security researchers clueless since they cannot analyse the campaign.
The sqlps utility cab also enables the loading of the SQL server cmdlets, allowing the activations of the PowerShell commands without being identified by security solutions. Some researchers found this new threat to be fileless persistence.
The Script Block Logging can also be bypassed by eh sqlps since it is a PowerShell feature that logs cmdlet operation to Windows even logs.
As of now, there are numerous threats targeting SQL servers, which writes down that this new brute-forcing campaign is not new at all. Recently, the Kingminer botnet attack used an SQL flaw to develop an obfuscated PowerShell command.
Last March, several campaigns compromised the MSSQL servers to distribute the Gh0stCringe malware. This year, a similar attack also infected the MSSQL servers to deploy Cobalt Strike beacons with SQL xp_cmdshell instruction.
Microsoft admins suggested that users not expose their servers to the internet to protect the MSSQL servers. They also added that organisations should have a strong admin password and place the server behind the protection of a firewall for robust security. Furthermore, it is always recommended to be wary regarding unknown, suspicious, or repeated login attempts.
