sb-au logo
Story image

Guardicore Labs exposes brute force MS-SQL attack campaign

02 Apr 2020

Guardicore Labs, a company specialising in cloud and data centre security, has today revealed its efforts to uncover a long-running attack campaign which aims to infect Windows machines running Microsoft SQL (MS-SQL) servers. 

The cyber attack campaign, named Vollgar by Guardicore, dates back to May 2018 and uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. 

Guardicore says the combination of weak credentials and having MS-SQL servers exposed to the internet made for a dangerously attractive lure for cyber attackers.

The company says these are the characteristics leading to the infection of around 3,000 database machines daily. 

Victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

The first incident of this campaign appeared in May 2018 in Guardicore’s Global Sensors Network (GGSN), a network of high-interaction honeypots. 

During its two years of activity, the campaign’s attack flow has remained similar – thorough, well-planned and noisy. Guardicore says a peak in the number of incidents in last December drew the company to closely monitor the campaign and its impact.

Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which were in China. These are most likely compromised machines, repurposed to scan and infect new victims. 

While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.

By analysing the attacker’s log files, Guardicore was able to obtain information on the compromised machines. 

The majority (60%) of infected machines were only infected for only a short period of time. 
However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. 

This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products, says Guardicore. 

Alternatively, it is very likely that those do not exist on servers in the first place.

“We have noticed that 10% of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again,” says Guardicore Labs security researcher Ophir Harpaz. 

“This reinfection pattern has been seen by Guardicore Labs before in the analysis of the Smominru campaign, and suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”

Story image
CrowdStrike announces two executive hires, with aim to expand in A/NZ
The endpoint protection company says both executives will be responsible for boosting customer experience (CX) while delivering success mutually with CrowdStrike’s partner team as part of their new roles.More
Story image
Almost 10,000 unsecured databases with more than 10 billion credentials exposed
Research has identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords, and phone numbers.More
Story image
Security teams face mounting stress, call for execs to step in
“With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern. This is a call to action for executives to prioritise alleviating the stress."More
Story image
Tanium and Google Cloud bring greater security to distributed IT
“This joint solution with Chronicle gives Tanium customers access to massively scalable analytics and investigation capabilities far beyond that of other endpoint detection and response point tools."More
Link image
How to prioritise metrics as an e-commerce CTO
E-commerce technology leaders need to track, analyze, and act on large volumes of business and system performance data. Danny Miles, the CTO of Dollar Shave Club, shares a powerful framework for thinking about and prioritizing e-commerce metricsMore
Story image
How to stop your data lake from turning into a data swamp
Collecting data is easy – it’s gleaning the intelligence that’s the difficult part. More