Microsoft warns of brute force attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords.

The attackers are using legitimate sqlps[.]exe tools as a Living-Off-the-Land Binary (LOLBin). They’re executing recon commands and changing the SQL service’s start mode to LocalSystem using the sqlps[.]exe utility (a PowerShell wrapper for running SQL-built cmdlets). To get full control of the SQL server, the attackers utilize sqlps[.]exe to create a new account with the sysadmin role.

The SQLPS tool is included with Microsoft SQL Server and allows you to load SQL Server cmdlets (as a LOLBin), which allows you to run PowerShell commands without being detected, leading to file less persistence. Furthermore, SQLPS can avoid detection by bypassing Script Block Logging, a PowerShell feature that logs cmdlet operations to the Windows event log.

Recommendations

  • Use a strong admin password that can’t be guessed or brute-forced easily and place the server behind a firewall
  • Enable logging to monitor for the suspicious or unexpected activity or recurring login attempts
  • apply the latest security updates to decrease the attack surface and block attacks leveraging exploits that target known vulnerabilities
  • To prevent data exfiltration by malware or TAs, keep an eye on the beacon at the network level.

Administrators must not expose their MSSQL servers to the Internet, use a strong admin password that cannot be guessed or brute-forced, and place the server behind a firewall to protect against such attacks.

Reference: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-brute-force-attacks-targeting-mssql-servers/

Comments

Leave a Reply

Your email address will not be published.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.