Cyber campaign installing cryptominers and RATs on Microsoft SQL servers uncovered by security researchers

Hackers are infecting nearly 3,000 MS-SQL servers on a daily basis

Researchers at cyber security firm Guardicore Labs have uncovered a new attack campaign specifically targeting Microsoft SQL (MS-SQL) servers in efforts to install remote access Trojans (RATs) and cryptominers on them.

The campaign, named Vollgar, has been active since May 2018, as per researchers, and using password brute force technique to infect between 2,000 and 3,000 MS-SQL servers with Monero and Vollar miners on a daily basis.

"We dubbed the campaign Vollgar after the Vollar cryptocurreny it mines and its offensive, vulgar behaviour," Ophir Harpaz, a cyber security researcher at Guardicore, said in an online post.

According to Harpaz, the operators behind Vollgar campaign initially used more than 120 IP addresses to launch attacks, with majority of IPs coming from China. The researchers believe those IPs were likely the infected machines that hackers repurposed to search and infect new victims.

Throughout the campaign, the hackers were observed using two command-and-control (C&C) servers. These C&C servers enabled the threat group to download files, run keyloggers, use infected servers to launch distributed denial of service (DDoS) attacks and to carry out a variety of other malicious activities.

The main C&C server used by the group ran a MS-SQL database as well as a Tomcat web server. It was tracked to China and found to be compromised by more than one attack group.

Nearly 60 per cent of the servers compromised by hackers remained infected for only a short period of time (up to two days), Harpaz said. But, 20 per cent of the breached machines remained in the infected state for more than a week.

The researcher also pointed out an interesting finding that about 10 per cent of all victims were reinfected with the malware. This happened as administrators failed to properly remove all modules of the malware, thereby leaving the door open for hackers to reinstall their malware.

The industries specifically targeted by Vollgar group included aviation, IT, telecommunications, healthcare, and higher education organisations, mostly based in the US, India, South Korea, Turkey and China.

The researchers advise organisations not to expose their database servers to the internet.

"Instead, they need to be accessible to specific machines within the organisation through segmentation and whitelist access policies," the researchers explained.

"If infected, we highly recommend to immediately quarantine the infected machine and prevent it from accessing other assets in the network. It is also important to change all your MS-SQL user account passwords to strong passwords, to avoid being reinfected by this or other brute force attacks."