Cybersecurity Threat Advisory 0026-20: Hackers Targeting Microsoft SQL Servers
A new brute force hacking campaign called “Vollgar” targets Microsoft SQL Servers with weak passwords. The campaigns installs a malicious payload to steal information, remote control, and hide its own activity. SKOUT has provided a link to a script that companies can use to check if they are infected in the recommendations section below. SKOUT also recommends implementing strong passwords and multi-factor authentication.
Technical detail and additional information
What is the threat?
A malware campaign targeting Windows machines running MS-SQL servers has been uncovered, and according to researchers has been ongoing for almost two years.
The campaign, called “Vollgar”, has targeted insecure SQL servers with weak credentials with bruteforce attacks. After gaining access to these unsecure SQL servers, the malicious actors create several unauthorized users with elevated privileges on the internal operating system. Once this is done, the attackers create three downloader scripts (one FTP script and two VBS scripts) that carry out the rest of the process, each executed multiple times in different locations on the file system. At this point, one of the initial payloads kills a long list of process to secure system recourses and eliminate other threat actor’s activity, as well as masking their presence in the system. This payload also acts as a dropper for different remote access trojans (RATs) and crypto miners, including VDS or Vollar, the namesake of the campaign.
Why is this noteworthy?
MS-SQL servers are used by a wide array of organizations of all sizes, and for a variety of different purposes. Notably for smaller businesses that tend to have weaker security configurations, this campaign affects SQL servers with weak passwords that can be easily brute forced. Microsoft SQL servers can contain massive amounts of valuable and confidential information. Unauthorized access to these databases could do a tremendous amount of damage to a company and their internal network. If a threat actor gains access to one of these devices and is able to avoid detection, they will likely be able to maintain persistence on the network for an extended period of time. Compromised SQL servers can result in data corruption, unauthorized data exfiltration, and remote access capabilities for malicious actors.
What is the exposure or risk?
Researchers have stated that the Vollgar campaign has managed to infect around 2,000-3,000 vulnerable SQL servers per day in the past few weeks. Organizations’ servers of all sizes have been affected by this campaign, regardless of industry. Successful infection of the server grants multiple remote-control capabilities to the threat actors. These capabilities include screen capturing, keylogging, DDoS (Distributed Denial of Service) attacks, camera and microphone access, and remote file download/execution.
What are the recommendations?
A script has been released that allows users to detect if their SQL servers have been compromised by this attack (provided below). Additionally, SQL servers should be protected by strong authentication techniques. Servers should employ strong passwords (at least 12 characters including both lower case and capital letters, numbers, special symbols) and utilize multi-factor authentication if possible.
Script to Check for Compromise: https://github.com/guardicore/labs_campaigns/tree/master/Vollgar
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.