Threat Research

Attacking MSSQL Servers

Securonix

Two sentences: Turkish hackers have targeted MSSQL servers exposed to the Internet, using brute-force attempts and MSSQL-based tools to gain access and move laterally. Huntress observations show attackers creating local user accounts, deploying AnyDesk for remote access, and exfiltrating data via MSSQLBulk Copy, underscoring the need for solid asset management and attack-surface reduction. #TurkishHackers #MSSQL

Keypoints

  • SQL servers exposed to the public Internet face brute-force login attempts and credential abuse.
  • Compromised MSSQL servers may reveal successful logins via changes to xp_cmdshell and anomalous sqlservr.exe child processes.
  • Incident demonstrated the MSSQL native bulk copy (bcp) method to extract data/files from the database.
  • Scripts in the incident created new local user accounts and installed remote-access tools (AnyDesk) to facilitate persistence and tunneling.
  • PowerShell and batch files (user.ps1, user.bat, kur.bat) show attackers’ use of multiple Windows primitives to add users, modify groups, and disable defenses.
  • Evidence included registry modification and targeted use of commands like net user, net use, and bcp, with some alerts triggered by endpoint protection.

MITRE Techniques

  • [T1059.001] PowerShell – Script uses PowerShell to create a local user and modify privileges. Quote: [Set-ExecutionPolicy RemoteSigned -Scope CurrentUser] … [New-LocalUser -Name $ad -Password $sifre -FullName $isim -Description “New user account created.”]
  • [T1059.003] Windows Command Shell – Use of cmd.exe and related commands to perform data export and account actions. Quote: [cmd /c bcp “select binaryTable from uGnzBdZbsi” queryout …] and [net user windows123 @@@Win123.. /add]
  • [T1136.001] Create Local Account – Creation of a new local user account via script. Quote: [New-LocalUser -Name $ad -Password $sifre -FullName $isim -Description “New user account created.”]
  • [T1098] Account Manipulation – Adding the new user to administrator groups. Quote: [Add-LocalGroupMember -SID $grupSID -Member $ad] and [net localgroup Administrators windows123 /add]
  • [T1112] Modify Registry – Registry modification to influence authentication behavior. Quote: [REG ADD “HKLMSYSTEMCurrentControlSetControlSecurityProviders wdigest” /v UseLogonCredential /t REG_DWORD /d 0x00000001]
  • [T1021] Remote Services – Deployment/use of AnyDesk RMM tool for remote access. Quote: “a copy of the AnyDesk RMM tool”
  • [T1070.004] File Deletion – Deletion of script files after execution to cover tracks. Quote: [Remove-Item -Path $MyInvocation.MyCommand.Path -Force]

Indicators of Compromise

  • [IP Address] – 2.57.149.x range observed; used in failed login attempts and as a threat-actor-controlled endpoint in related activity
  • [IP Address] – 2.57.149.230a (example from logs) associated with actor-controlled infrastructure
  • [File] – 4.exe – quarantined/alerted by MAV detection
  • [File] – user.ps1 – script creating a local user and modifying settings
  • [File] – user.bat – batch file adding user and privilege changes
  • [File] – kur.bat – script to launch tunneling tool and AnyDesk
  • [File] – bcp.exe – observed in process detections as part of data export
  • [Process] – sqlservr.exe with unusual child processes

Read more: https://www.huntress.com/blog/attacking-mssql-servers