{"id":13930,"date":"2020-04-02T19:11:18","date_gmt":"2020-04-02T17:11:18","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13930"},"modified":"2022-08-03T20:57:04","modified_gmt":"2022-08-03T18:57:04","slug":"hackers-infects-thousands-of-ms-sql-servers-with-backdoors","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/04\/02\/hackers-infects-thousands-of-ms-sql-servers-with-backdoors\/","title":{"rendered":"Hackers infects thousands of MS SQL servers with backdoors"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/04\/02\/hacker-infizieren-tausende-ms-sql-server-mit-backdoor\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Unknown hackers are running a campaign (running since May 2018) against Microsoft SQL-Server. The group succeeds in providing thousands of these SQL servers with a backdoor every day. There seems to be a whole botnet of infected SQL servers running Remote Access Trojans and Crypto-Miner. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/5dc3be8d92b841d8b19e6f7015530e51\" width=\"1\" height=\"1\">I became aware of this topic through the following tweet from Bleeping Computer, their <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hacker-group-backdoors-thousands-of-microsoft-sql-servers-daily\/\" target=\"_blank\" rel=\"noopener noreferrer\">article<\/a> and <a href=\"https:\/\/thehackernews.com\/2020\/04\/backdoor-.html\" target=\"_blank\" rel=\"noopener noreferrer\">this post<\/a> from The Hacker News. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Hacker Group Backdoors Thousands of Microsoft SQL Servers Daily &#8211; by <a href=\"https:\/\/twitter.com\/serghei?ref_src=twsrc%5Etfw\">@serghei<\/a><a href=\"https:\/\/t.co\/wPXfFteqj7\">https:\/\/t.co\/wPXfFteqj7<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1245400236475940873?ref_src=twsrc%5Etfw\">April 1, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserved1db9e6e8a714cd391b0a5aad0a4b479\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>The hackers use brute force methods to compromise Microsoft SQL (MSSQL) servers and then install Crypto-Miner Remote Access Trojans (RATs). The <a href=\"https:\/\/web.archive.org\/web\/20210201183655\/https:\/\/www.guardicore.com\/2020\/04\/vollgar-ms-sql-servers-under-attack\/\" target=\"_blank\" rel=\"noopener noreferrer\">Guardicore<\/a> Security Researchers has detected the campaign, which has been running since May 2018, in December 2019.&nbsp; <\/p>\n<h2>Currently 2,000 to 3,000 infections daily<\/h2>\n<p>Currently, between 2,000 and 3,000 MSSQL servers are still being infected and back-doored daily. \"Having MS-SQL servers with weak permissions on the Internet is not the best approach,\" security researcher Ophir Harpaz of Guardicore says in a <a href=\"https:\/\/web.archive.org\/web\/20210201183655\/https:\/\/www.guardicore.com\/2020\/04\/vollgar-ms-sql-servers-under-attack\/\" target=\"_blank\" rel=\"noopener noreferrer\">report<\/a>. \"This could explain how this campaign managed to infect about 3k database machines every day.\" <\/p>\n<h2>Vollgar campaign: Attacks from China?<\/h2>\n<p>The attacks of the Vollgar campaign come from about 120 IP addresses, mostly from China. These are most likely previously compromised MS SQL servers that are used as part of a botnet to search for and infect new potential targets.<\/p>\n<p>While some of these bots only remain active for a very short time, security researchers have been observing dozens of attempted attacks on Guardicore's Global Sensors Network (GGSN) for more than three months.<\/p>\n<p>The Guardicore security researchers have <a href=\"https:\/\/github.com\/guardicore\/labs_campaigns\/tree\/master\/Vollgar\" target=\"_blank\" rel=\"noopener noreferrer\">published a script<\/a> that allows administrators to determine if any of their Windows MS-SQL servers are affected by this particular threat. More details can be found at <a href=\"https:\/\/web.archive.org\/web\/20210201183655\/https:\/\/www.guardicore.com\/2020\/04\/vollgar-ms-sql-servers-under-attack\/\" target=\"_blank\" rel=\"noopener noreferrer\">Guardicore<\/a> and in the linked articles.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Unknown hackers are running a campaign (running since May 2018) against Microsoft SQL-Server. The group succeeds in providing thousands of these SQL servers with a backdoor every day. There seems to be a whole botnet of infected SQL servers running &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/04\/02\/hackers-infects-thousands-of-ms-sql-servers-with-backdoors\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[69,636],"class_list":["post-13930","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-security","tag-sql-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13930"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13930\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}