www.csoonline.com
Open in
urlscan Pro
151.101.194.165
Public Scan
URL:
https://www.csoonline.com/article/3700568/why-you-should-review-the-security-of-your-mssql-servers.html
Submission: On June 22 via api from TR — Scanned from DE
Submission: On June 22 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad
cso online
GERMANY
* United States
* ASEAN
* Australia
* India
* United Kingdom
* Germany
×
search
More from the Foundry Network
* About Us |
* Contact |
* Republication Permissions |
* Privacy Policy |
* Cookie Policy |
* European Privacy Settings |
* Member Preferences |
* Advertising |
* Foundry Careers |
* Ad Choices |
* E-commerce Links |
* California: Do Not Sell My Personal Info |
* Follow Us
*
*
*
×
Close
* Researchers find new ICS malware toolkit designed to cause electric power...
* RELATED STORIES
* Clop ransomware gang exploits the MOVEit Transfer vulnerability to steal data
* SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed
* APT group hits IIS web servers with deserialization flaws and
memory-resident...
* Cybercrime group FIN7 targets Veeam backup servers
* Home
* Security
* Data and Information Security
News Analysis
WHY YOU SHOULD REVIEW THE SECURITY OF YOUR MSSQL SERVERS
MS SQL SERVER IS BY FAR THE MOST COMMON DBMS THAT ATTACKERS TARGET, PROBABLY DUE
TO ITS TIGHT INTEGRATION WITH WINDOWS.
*
*
*
*
*
*
*
By Lucian Constantin
CSO Senior Writer, CSO | 21 June 2023 20:29
Efes Kitap (CC0)
Brute-force credential guessing attacks against database servers are ramping up
with MSSQL being at the top of the target list. That's because attackers can
leverage the many extensibility features that Microsoft's database server
provides to integrate with other Windows components and features to elevate
their privileges and gain full control of the underlying servers.
Last week, researchers from security firm Trustwave released data collected over
four months from their global honeypot project, a network of sensors distributed
around the world to mimic vulnerable systems and record information about
attacks. In this exercise, the honeypots were configured to act as popular
database management systems (DBMS) running on their default ports: MS SQL Server
(MSSQL), MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra and
Couchbase.
"It quickly became clear that the activity of MSSQL has been much higher than
other databases," the researchers said. "The disproportion is so large (>93%)
that comparing it to the other DBMSs was sometimes difficult."
The researchers found that attacks happen in waves and have peaks, but the
intensity of MSSQL brute-force attacks dwarfed those against any other database.
For example, the second-most targeted database servers, MySQL and Redis,
registered attack peaks of around 150,000 login attempts. By comparison, attacks
against MSSQL honeypot sensors had peaks of over 3 million login attempts.
Another interesting finding is that even though Trustwave had MSSQL sensors
deployed in different countries, attackers clearly displayed regional
preferences in their attacks. For example, the sensors located in the UK were
the most targeted ones with a bit higher number of attacks registered than those
in China, even though China has a much higher number of MSSQL servers exposed to
the internet. The US was in sixth place after countries like Ukraine, Russia,
and Poland.
According to Shodan, more than 450,000 MSSQL instances are available on the
internet with more than 133,000 instances located in China. One would expect
China to top of the list for the number of attacks.
WHY DO ATTACKERS TARGET MSSQL?
While MSSQL is certainly one of the most widely used database servers, it's
never been the most popular or most widely deployed because it's only used on
Windows servers. MySQL, Oracle, and PostgreSQL always top the popularity
rankings. So why are MSSQL servers a more interesting target for attackers?
One could argue it's because Windows is a more popular target than Linux and
attackers are more likely to have malware tools developed for Windows. So, if
the database server is the entry point into compromising the underlying server,
then it makes sense more attackers would go for MSSQL. While that might be part
of it, MSSQL also has deep and powerful integrations with the Windows servers it
runs on, as shown by Trustwave's analysis of the observed attacks.
HOW ATTACKERS EXPLOIT MSSQL ACCESS
In a new report, the researchers go over some of the actions and post-intrusion
techniques they saw attackers use after gaining access to MSSQL servers via weak
credentials. First, the most commonly targeted account name in the brute-force
attempts was "sa". This is a special superuser account that stands for "server
authentication" and is normally disabled in most scenarios.
" The sa account is a well-known SQL Server account and it is often targeted by
malicious users," the Microsoft documentation says. "Don't enable the sa account
unless your application requires it. It's important that you use a strong
password for the sa login."
The researchers observed two payload delivery methods once attackers gained
access to a MSSQL account, both of which display deep knowledge of the platform
and use interesting features that allow the server to integrate other
technologies. One of them is the .NET Framework Common Language Runtime (CLR)
Integration that allows MSSQL users to execute .NET code directly within the
database engine to extend the SQL server functionality.
"When the bot is authenticated, it executes a SQL script to change the MSSQL
config to be able to install a backdoor CLR assembly," the Trustwave researchers
said.
First, the attackers set the TRUSTWORTHY property on the database where their
assembly code will be hosted and then will enabled the CLR feature for their
malicious code to be able to run. The attackers then use the malicious CLR code
to download and execute four malicious executable files on the underlying
Windows server through the command line (cmd.exe).
Another observed payload delivery technique involved the abuse of the Object
Linking and Embedding (OLE) automation procedure present in MSSQL Server that
allows users to create Automation objects.
"Users can create and manipulate Automation objects in T-SQL code, which enables
the integration of the SQL Server with other components of the Windows system,
called Component Object Model (COM), which is a binary-interface standard for
software components," the researchers said.
Attackers were seen enabling OLE Automation Procedures as well as other server
configuration options then used existing features to delete, add and modify
various registry keys in preparation for a privilege escalation attack. They
then start creating OLE objects.
"Exploits utilize the IDataInitialize, referred to by its class identifier
(CLSID {00000566-0000-0010-8000-00AA006D2EA4}) provided by Microsoft's OLE DB
Service Component, to create and manage connections," the researchers said.
"Then, the bot creates the file F**kGothin.inf and writes hexadecimal binary
content. F**kGothin.inf is a text file. These types of files are used to provide
information to the system about how to install, configure, and manage software,
drivers, or hardware components."
After changing descriptors for various files and completing the privilege
escalation process, the malicious process starts creating objects using
"ADODB.Stream", a COM object provided by Microsoft's ActiveX Data Objects (ADO)
library that allows writing binary or text data in memory. This is used to write
several executables to disk including privilege escalation tools such as Potato
(BadPotato, JuicyPotato, SweetPotato, EFSPotato) and PoC (CVE-2018-8639,
CVE-2019-1458). The final goal is to deploy various Trojan programs on the
system along with a cryptocurrency mining tool.
"The OLE Automation and CLR assembly are immensely powerful features, which
makes them extremely dangerous," the researchers said. "If you are not using OLE
Automation and the CLR assembly, they need to be disabled. Disabling unnecessary
features inside the database will reduce the attack surface, but as we
illustrated, it will not eliminate it."
Even if disabled, attackers can re-enable these features if they have
administrative privileges to the database server, so changing the default
administrative accounts such as "sa" and having strong password policies for
them is very important.
Next read this
* The 10 most powerful cybersecurity companies
* 7 hot cybersecurity trends (and 2 going cold)
* The Apache Log4j vulnerabilities: A timeline
* Using the NIST Cybersecurity Framework to address organizational risk
* 11 penetration testing tools the pros use
Related:
* Data and Information Security
* Microsoft
* Cyberattacks
Lucian Constantin is a senior writer at CSO, covering information security,
privacy, and data protection.
Follow
*
*
*
*
*
Copyright © 2023 IDG Communications, Inc.
7 hot cybersecurity trends (and 2 going cold)
CSO Online CSO provides news, analysis and research on security and risk
management Follow us
*
*
*
* About Us
* Contact
* Republication Permissions
* Privacy Policy
* Cookie Policy
* European Privacy Settings
* Member Preferences
* Advertising
* Foundry Careers
* Ad Choices
* E-commerce Links
* California: Do Not Sell My Personal Info
Copyright © 2023 IDG Communications, Inc.
Explore the Foundry Network descend
* CIO
* Computerworld
* CSO Online
* InfoWorld
* Network World
CSO WANTS TO SHOW YOU NOTIFICATIONS
--------------------------------------------------------------------------------
YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER
Accept Do not accept
POWERED BY SUBSCRIBERS