SQL Server vulnerability - hackers using legitimate utility for fileless persistence

The cyber actors behind the campaign are using brute force attacks for initial breach, according to Microsoft

Microsoft researchers have discovered a malicious campaign targeting Microsoft SQL (MSSQL) Server that exploits a built-in PowerShell utility to achieve persistence on compromised machines.

The cyber actors behind the campaign are using brute force attacks for the initial breach and then weaponising the built-in sqlps.exe module to seize full control of the SQL Server instance, the Microsoft Security Intelligence team said in a series of tweets, without naming the attackers.

The sqlps.exe tool, which is included with all SQL Server versions, allows a SQL Agent to conduct tasks using the PowerShell subsystem.

"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft researchers noted.

In addition, the attackers have been seen utilising the same utility to create a new account with the administrator role, which gives them the ability to gain complete control of the SQL Server instance. They then attain the ability to do other activities, such as delivering payloads like currency miners.

Microsoft is tracking the malware under the name "SuspSQLUsage."

"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behaviour of scripts in order to expose malicious code," Microsoft said.

Hackers often use legitimate applications as vectors for attacks. The strategy has the benefit of leaving no traces on the targeted machine and being less likely to be discovered by anti-malware scanners, because the software is trusted.

In March, similar attacks against MS SQL Server were detected, in which attackers tried to implant deploy Gh0stCringe (aka CirenegRAT) remote access trojans.

In order to protect their MS SQL Server instances against such attacks, it is recommended that administrators do not expose the machines to the Internet, use a strong administrator password that cannot be easily guessed or brute-forced, and put the server behind a firewall.

SQL Server has been targeted for years as part of large-scale campaigns in which malicious actors use the database as a way in.

In February, researchers at AhnLab Security Emergency Response Center (ASEC) warned that hackers were trying to deploy the Cobalt Strike adversary simulation tool on vulnerable internet-facing SQL Server instances in efforts to steal confidential information from compromised machines.

The researchers said that the attackers looking to hack SQL Server typically scan port 1433 to check for instances that are publicly available. Then they attempt to log in using brute force or dictionary attacks against the admin account.

Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free