[German]The Microsoft security team is currently warning about a campaign in which unknown attackers are targeting Microsoft SQL databases. Although a brute force approach is used to crack the database access. What is new is that the campaign uses the sqlps.exe tool in conjunction with PowerShell scripts.
Description of the campaign
The information can be found in a series of tweets, published by Microsoft Security Intelligence the days. According to the tweets, a campaign was recently observed by Microsoft's security team, which specifically targets Microsoft SQL Server.
A brute force approach is used to try to crack password-protected access to the SQL database. This is nothing new, the approach has been tried for years. However, a new feature, according to Microsoft, is the use of the sqlps.exe tool supplied with SQL Server in conjunction with PowerShell scripts. That's a utility that starts a Windows PowerShell session with the SQL Server PowerShell provider and cmdlets loaded and registered. Users can enter PowerShell commands or scripts that use the SQL Server PowerShell components to work with instances of SQL Server and its objects.
Microsoft writes here that this feature will be removed in a future release of Microsoft SQL Server. The use of this feature should be avoided in new developments.
The reason for using this utility is also mentioned by Microsoft. The attackers thus achieve so-called "fileless persistence" by launching the sqlps.exe utility, a PowerShell wrapper for executing SQL cmdlets. Then they drop commands to explore the database and try to change the SQL service startup mode to LocalSystem. The attackers also use sqlps.exe to create a new sysadmin account, which allows them to take full control over SQL Server. This allows them to perform other actions, such as providing payloads to crypto miners.
Monitor your PowerShell Scripte
Microsoft writes that Defender normally monitors the use of PowerShell in the given environment. The sqlps.exe utility, which comes standard with all SQL versions, has similar functionality for invoking a PowerShell session. However, by using the technique outlined above, no trace of the attack is left behind, as Script Block Logging, which is logged in the Windows Event Viewer, is bypassed.
The use of this unusual living-off-the-land binary (LOLBin), according to Microsoft, demonstrates the need to fully understand the runtime behavior of scripts in order to detect malicious code. Therefore, script execution via sqlps.exe should also be monitored in this regard.
This runtime behavior of scripts can be analyzed via the Antimalware Scan Interface (AMSI), an open interface that allows applications to request a synchronous scan of a memory buffer by an antimalware product at runtime. Microsoft Defender Antivirus integrates with AMSI and detects this threat as Trojan:PowerShell/SuspSQLUsage.A.
Securing a SQL Server
In this article, the colleagues from Bleeping Computer give some more hints on what administrators can do to secure an SQL server.
In addition to the advice not to make the SQL server accessible via the Internet, one should also use a strong administrator password for access, which cannot be cracked so easily via brute force. One should also place the SQL server behind a firewall, and enable logging to monitor suspicious or unexpected activity or repeated login attempts. It should also be clear that the SQL server must be kept up to date with the latest patches.
Gh0stCringe malware targets unsecured Microsoft SQL and MySQL servers
Windows 11 may bricks MSSQL server instances; no longer executable
Hackers infects thousands of MS SQL servers with backdoors
Cookies helps to fund this blog: Cookie settings