For the last two years or so, attackers have been infecting and reinfecting poorly secured MS SQL servers, booting other criminals’ malware from them and exploiting their compute power to mine Vollar and Monero cryptocurrency.
61.5 percent of the infected machines get cleaned up by administrators and IT security teams within two days, and the rest between three to 14 days but, according to Guardicore Labs researchers, 10 percent of the victims end up reinfected, likely because “malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”
About the campaign and the MS SQL servers botnet
This campaign, dubbed Vollgar by the researchers, has been going on since at least May 2018. The attackers manage to compromise around 3,000 database machines daily, belonging to companies in various industry sectors and located all around the world.
The attackers gain access by brute-forcing the targeted databases. Once access is achieved, they:
- Make configuration changes to the database to allow future command execution and downloading of malware binaries
- Set multiple backdoor users on the machine (both in the MS SQL database context and in that of the operating system) and elevate their privileges
- Eliminate other threat actors’ activity and traces of that activity from the machine (delete keys used for persistence, remove values that allows malware to attach itself to legitimate processes, etc.)
- Write several downloader scripts
- Download multiple RAT modules and an XMRig-based cryptominer.
The RAT modules phone back to the command and control servers and deliver information about the system (location data, system data), the cryptominer starts mining Monero and the Vollar alt-coin.
Attack detection, prevention and mitigation
Microsoft SQL Server is a relational database management system/software that can run on computers running any of the most popular operating systems (Windows, Linux, macOS).
The attackers target internet-facing Windows machines running poorly secured MS SQL servers.
Using strong and unique MS SQL user account passwords is a must, and the researchers advise against exposing database servers to the internet.
“Instead, they need to be accessible to specific machines within the organization through segmentation and whitelist access policies. We recommend enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts,” they noted.
For those who are not sure whether their installations have been compromised, the researchers have provided a list of IoCs and a detection script they can use to check.
“If infected, we highly recommend to immediately quarantine the infected machine and prevent it from accessing other assets in the network. It is also important to change all your MS SQL user account passwords to strong passwords, to avoid being reinfected by this or other brute force attacks,” they concluded.