Unknown malicious actors use brute force attacks to attempt to gain access to poorly secured Microsoft SQL Server databases exposed to the Internet.
The Redmond software giant issued a warning explaining how databases with weak passwords could be compromised:
“Attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper to run SQL cmdlets, to run reconnaissance commands, and to change the SQL service startup mode to LocalSystem,” the team said. Microsoft Security Intelligence revealed.
In other words, attackers use the sqlps.exe tool, which is a legitimate program, not malware, as Living Off The Land Binary (LOLBin).
“Attackers also use sqlps.exe to create a new account which they add to the sysadmin role, allowing them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners.”
Sqlps is a tool included with Microsoft SQL Server and allows users to load SQL Server cmdlets. beeping computer claims that by using the tool as LOLBin, attackers can execute PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions.
Moreover, the tool leaves almost no trace, as it bypasses script block logging.
System administrators can do a number of things to defend their premises against such attacks, first and foremost – by not exposing them to the Internet. In case the database needs to be online, the next best solution is a strong password that cannot be guessed or brute-forced. This means having a password with at least eight characters, upper and lower case, as well as numbers and symbols.
Additionally, administrators are advised to place the server behind a firewall.
Finally, they can enable logging and monitor suspicious or unexpected activity, or recurring login attempts.