Microsoft SQL Server 11 and 12 backdoor, accessible with 'magic password', linked to Chinese APT

ESET researchers attribute sophisticated MS SQL Server backdoor tool to China's Winnti Group, also known as APT17

Security researchers at ESET have warned of a new backdoor threat to Microsoft's SQL Server enterprise database that, they claim, makes the database accessible with a ‘magic password' that ensures that connections are not logged.

ESET have attributed the attack threat to China's Winnti Group, which also variously goes by the names APT17, Axiom and Ke3chang. They claim that the sample of the backdoor they have discovered, called Skip-2.0, bears a number of similarities to previous attack tools linked with Winnti Group, including the use of the PortReuse backdoor and ShadowPad Trojan.

"Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported," ESET researchers warned.

The company revealed the threat today following a new analysis of the Group [PDF].

"As in the case of ‘PortReuse' and ‘ShadowPad' [tools associated with Winnti], the launcher probably persists by exploiting a DLL hijacking vulnerability by being installed at ‘C:\Windows\System32\TSVIPSrv.DLL'. This results in the DLL being loaded by the standard Windows SessionEnv service at system startup," warn ESET. This enables the backdoor to maintain persistence.

"Once decrypted the embedded payload is actually Winnti Group's custom packer… the packer configuration contains the decryption key of the packed binary as well as its original filename, its size and the execution type (EXE or DLL)."

Following an analysis of the tool sample, ESET researchers "tested skip-2.0 against multiple Microsoft SQL Server versions and found that we were able to login successfully using the special password with MS SQL Server 11 and 12".

While SQL Server 12 was released in 2014 and has, therefore, been superceded by SQL Server 2017, the latest iteration of the popular enterprise database product, it remains the most commonly used version of SQL Server, according to Censys Technologies' data.

The Portreuse backdoor was found on the networks of compromised hardware and software vendors in South Asia earlier this year, while the ShadowPad Trojan was deployed against South Korean software company NetSarang when its network was breached in 2017.

The warning over the sophisticated 'Skip-2.0' SQL Server backdoor comes on the same day that Avast revealed details of a new attempted supply-chain attack.