[German]Unknown hackers are running a campaign (running since May 2018) against Microsoft SQL-Server. The group succeeds in providing thousands of these SQL servers with a backdoor every day. There seems to be a whole botnet of infected SQL servers running Remote Access Trojans and Crypto-Miner.
— BleepingComputer (@BleepinComputer) April 1, 2020
The hackers use brute force methods to compromise Microsoft SQL (MSSQL) servers and then install Crypto-Miner Remote Access Trojans (RATs). The Guardicore Security Researchers has detected the campaign, which has been running since May 2018, in December 2019.
Currently 2,000 to 3,000 infections daily
Currently, between 2,000 and 3,000 MSSQL servers are still being infected and back-doored daily. “Having MS-SQL servers with weak permissions on the Internet is not the best approach,” security researcher Ophir Harpaz of Guardicore says in a report. “This could explain how this campaign managed to infect about 3k database machines every day.”
Vollgar campaign: Attacks from China?
The attacks of the Vollgar campaign come from about 120 IP addresses, mostly from China. These are most likely previously compromised MS SQL servers that are used as part of a botnet to search for and infect new potential targets.
While some of these bots only remain active for a very short time, security researchers have been observing dozens of attempted attacks on Guardicore’s Global Sensors Network (GGSN) for more than three months.
The Guardicore security researchers have published a script that allows administrators to determine if any of their Windows MS-SQL servers are affected by this particular threat. More details can be found at Guardicore and in the linked articles.