Brute-force attacks targeting MSSQL servers, Microsoft warns

Internet-facing servers under assault

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Unknown threat actors are using brute-force attacks to try and get into poorly secured, internet-exposedMicrosoftSQL Serverdatabases.

The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:

“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” the Microsoft Security Intelligence teamrevealed.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Servers targeted

In other words, the attackers are using the sqlps.exe tool, which is a legitimate program, and not malware, as a Living Off The Land Binary (LOLBin).

“The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQLserver. They then gain the ability to perform other actions, including deploying payloads like coin miners.”

Sqlps is a tool that comes bundled with Microsoft SQL Server, and allows users to load SQL Server cmdlets.Bleeping Computerclaims that by using the tool as a LOLBin, attackers can run PowerShell commands without being detected by antivirus programs or similar cybersecurity solutions.

What’s more, the tool leaves almost no traces, as it bypasses Script Block Logging.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Attacks on Remote Desktop Protocol have soared>Millions of remote desktop accounts are being attacked every week>Stop using ‘123’ as your Windows server password, users warned

System administrators can do a number of things to defend their premises from such attacks, first and foremost - by not exposing them to the internet. In case thedatabasemust be online, the second-best solution is a strong password that can’t be guessed, or brute-forced. That means, having a password with at least eight characters, both uppercase and lowercase, as well as numbers, and symbols.

Also, admins are advised to place the server behind afirewall.

Finally, they can enable logging and keep an eye out for suspicious or unexpected activity, or recurring login attempts.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Apple Mac mini (M4, 2024): the best gets better