Hackers infects thousands of MS SQL servers with backdoors

[German]Unknown hackers are running a campaign (running since May 2018) against Microsoft SQL-Server. The group succeeds in providing thousands of these SQL servers with a backdoor every day. There seems to be a whole botnet of infected SQL servers running Remote Access Trojans and Crypto-Miner.


I became aware of this topic through the following tweet from Bleeping Computer, their article and this post from The Hacker News.

The hackers use brute force methods to compromise Microsoft SQL (MSSQL) servers and then install Crypto-Miner Remote Access Trojans (RATs). The Guardicore Security Researchers has detected the campaign, which has been running since May 2018, in December 2019. 

Currently 2,000 to 3,000 infections daily

Currently, between 2,000 and 3,000 MSSQL servers are still being infected and back-doored daily. "Having MS-SQL servers with weak permissions on the Internet is not the best approach," security researcher Ophir Harpaz of Guardicore says in a report. "This could explain how this campaign managed to infect about 3k database machines every day."

Vollgar campaign: Attacks from China?

The attacks of the Vollgar campaign come from about 120 IP addresses, mostly from China. These are most likely previously compromised MS SQL servers that are used as part of a botnet to search for and infect new potential targets.


While some of these bots only remain active for a very short time, security researchers have been observing dozens of attempted attacks on Guardicore's Global Sensors Network (GGSN) for more than three months.

The Guardicore security researchers have published a script that allows administrators to determine if any of their Windows MS-SQL servers are affected by this particular threat. More details can be found at Guardicore and in the linked articles.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *