Microsoft warns of brute force attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords.
The attackers are using legitimate sqlps[.]exe tools as a Living-Off-the-Land Binary (LOLBin). They’re executing recon commands and changing the SQL service’s start mode to LocalSystem using the sqlps[.]exe utility (a PowerShell wrapper for running SQL-built cmdlets). To get full control of the SQL server, the attackers utilize sqlps[.]exe to create a new account with the sysadmin role.
The SQLPS tool is included with Microsoft SQL Server and allows you to load SQL Server cmdlets (as a LOLBin), which allows you to run PowerShell commands without being detected, leading to file less persistence. Furthermore, SQLPS can avoid detection by bypassing Script Block Logging, a PowerShell feature that logs cmdlet operations to the Windows event log.
- Use a strong admin password that can’t be guessed or brute-forced easily and place the server behind a firewall
- Enable logging to monitor for the suspicious or unexpected activity or recurring login attempts
- apply the latest security updates to decrease the attack surface and block attacks leveraging exploits that target known vulnerabilities
- To prevent data exfiltration by malware or TAs, keep an eye on the beacon at the network level.
Administrators must not expose their MSSQL servers to the Internet, use a strong admin password that cannot be guessed or brute-forced, and place the server behind a firewall to protect against such attacks.