Microsoft researchers have discovered a malicious campaign targeting a Microsoft SQL (MSSQL) server that uses the built-in PowerShell utility to make resilient machines compromised.
The cyber actors behind the campaign used brute force attacks for the initial breakthrough and then used the armed sqlps.exe plug-in to take full control of the SQL Server instance, the Microsoft Security Intelligence team said in a series of tweets without name the attackers.
The sqlps.exe tool, which is included in all versions of SQL Server, allows an SQL agent to perform tasks using the PowerShell subsystem.
“Attackers achieve file-free consistency by creating the sqlps.exe utility, a PowerShell wrapper for executing built-in SQL cmdlets, executing commands for intelligence, and changing the startup mode of the LocalSystem SQL service,” said Microsoft researchers.
In addition, attackers have been spotted using the same utility to create a new administrator account, giving them full control over the SQL Server instance. They then acquire the ability to perform other activities, such as delivering payloads such as currency diggers.
Microsoft recently saw a campaign targeting SQL servers that, like many attacks, use brute force methods to initially compromise. What sets this campaign apart is the use of the sqlps.exe inbound utility.
– Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022
Microsoft tracks the malware under the name “SuspSQLUsage”.
Attackers achieve file-free consistency by creating the sqlps.exe utility, a PowerShell shell for executing built-in SQL cmdlets, for executing commands for recognizing and changing the startup mode of the LocalSystem SQL service. pic.twitter.com/Tro0NfMD0j
– Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022
“The use of this unusual binary file for living outside the earth (LOLBin) emphasizes the importance of gaining full visibility in the behavior of scripts at runtime to detect malicious code,” said Microsoft.
Hackers often use legitimate applications as attack vectors. The strategy has the advantage of leaving no traces on the target machine and is less likely to be detected by anti-malware scanners, as the software is trusted.
Similar attacks were launched in March against MS SQL Server, in which attackers attempted to implant Gh0stCringe remote access horses (also known as CirenegRAT).
To protect their instances of MS SQL Server from such attacks, it is recommended that administrators not expose machines to the Internet, use a strong administrator password that cannot be easily guessed or forced, and place the server behind a firewall.
SQL Server has been targeted for years as part of large-scale campaigns in which malicious participants use the database as login.
In February, researchers at the AhnLab Security Emergency Response Center (ASEC) warned that hackers were trying to deploy the Cobalt Strike simulation tool on vulnerable instances of SQL Server facing the Internet in an attempt to steal confidential information from compromised machines.
Researchers said that attackers who want to hack SQL Server typically scan port 1433 to check for instances that are publicly available. They then try to log in using brute force or vocabulary attacks against the administrator account.
https://www.computing.co.uk/news/4049946/sql-server-vulnerability-hackers-legitimate-utility-fileless-persistence
