sb-as logo
Story image

Guardicore Labs exposes brute force MS-SQL attack campaign

02 Apr 2020

Guardicore Labs, a company specialising in cloud and data centre security, has today revealed its efforts to uncover a long-running attack campaign which aims to infect Windows machines running Microsoft SQL (MS-SQL) servers. 

The cyber attack campaign, named Vollgar by Guardicore, dates back to May 2018 and uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. 

Guardicore says the combination of weak credentials and having MS-SQL servers exposed to the internet made for a dangerously attractive lure for cyber attackers.

The company says these are the characteristics leading to the infection of around 3,000 database machines daily. 

Victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

The first incident of this campaign appeared in May 2018 in Guardicore’s Global Sensors Network (GGSN), a network of high-interaction honeypots. 

During its two years of activity, the campaign’s attack flow has remained similar – thorough, well-planned and noisy. Guardicore says a peak in the number of incidents in last December drew the company to closely monitor the campaign and its impact.

Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which were in China. These are most likely compromised machines, repurposed to scan and infect new victims. 

While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.

By analysing the attacker’s log files, Guardicore was able to obtain information on the compromised machines. 

The majority (60%) of infected machines were only infected for only a short period of time. 
However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. 

This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products, says Guardicore. 

Alternatively, it is very likely that those do not exist on servers in the first place.

“We have noticed that 10% of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again,” says Guardicore Labs security researcher Ophir Harpaz. 

“This reinfection pattern has been seen by Guardicore Labs before in the analysis of the Smominru campaign, and suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”

Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More
Story image
Intel creates 10th Gen vPro processors for 'next generation of business computing'
“Built for business, the Intel vPro platform is a comprehensive PC foundation for performance, hardware-enhanced security, manageability and stability,” says Intel.More
Story image
Months on, many organisations still don't have secure remote access - report
The report analyses the extent to which businesses were prepared for the sudden shift into remote working due to COVID-19 restrictions, and analyses how organisations have adjusted to support remote workers amidst the COVID-19 pandemic. More
Story image
How DDoS protection is like a car’s airbags
Just as someone would never remove the airbags from their car simply because they have never had a serious accident, so they should not cut back on cyber defences just because they hadn’t had a major attack in a while.More
Story image
ExtraHop brings SaaS network detection and response solution to market
"Reveal(x) 360 is the culmination of a multi-year R&D investment to secure data centre, remote sites, and cloud workloads with frictionless deployment and actionable insights that can be securely accessed from anywhere.”More
Story image
Cost-effective security key demand for MSPs
A new survey conducted by Omida and commissioned by Acronis shows that there is an “overwhelming” demand for security services among MSPs.More