Unidentified threat participants use brute force attacks to try to get into a poorly protected Microsoft SQL Server with open Internet access databases.
Software giant Redmond has issued a warning explaining how databases with weak passwords can be compromised:
“Attackers achieve file-free resilience by creating sqlps.exe, a PowerShell shell to run embedded SQL cmdlets, to run intelligence commands, and to change the SQL startup mode to LocalSystem,” the Microsoft Security Intelligence team said. revealed.
In other words, attackers use the sqlps.exe tool, which is a legitimate program rather than malware like the Living Off The Land (LOLBin) binary.
“Attackers also use sqlps.exe to create a new account, which they add to the system administrator role, allowing them to take full control of SQL server. They are then given the opportunity to perform other activities, including deploying payloads such as coin mining. ”
Sqlps is a tool that comes bundled with Microsoft SQL Server and allows users to download the SQL Server command. A computer that works claims that using the tool as LOLBin, attackers can run PowerShell commands without being detected by anti-virus programs or similar cybersecurity solutions.
Moreover, the tool leaves almost no traces, as it bypasses the registration of script blocks.
System administrators can do a number of things to protect their premises from such attacks, first and foremost by not exposing them online. In case database should be online, the second best solution is a strong password that is impossible to guess, or picked up in a rough way. This means that the password must be at least eight characters, both uppercase and lowercase, as well as numbers and symbols.
In addition, administrators are encouraged to host the server behind a firewall.
Finally, they may enable registration and monitor for suspicious or unexpected actions or retries.