sb-nz logo
Story image

Guardicore Labs exposes brute force MS-SQL attack campaign

02 Apr 2020

Guardicore Labs, a company specialising in cloud and data centre security, has today revealed its efforts to uncover a long-running attack campaign which aims to infect Windows machines running Microsoft SQL (MS-SQL) servers. 

The cyber attack campaign, named Vollgar by Guardicore, dates back to May 2018 and uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. 

Guardicore says the combination of weak credentials and having MS-SQL servers exposed to the internet made for a dangerously attractive lure for cyber attackers.

The company says these are the characteristics leading to the infection of around 3,000 database machines daily. 

Victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

The first incident of this campaign appeared in May 2018 in Guardicore’s Global Sensors Network (GGSN), a network of high-interaction honeypots. 

During its two years of activity, the campaign’s attack flow has remained similar – thorough, well-planned and noisy. Guardicore says a peak in the number of incidents in last December drew the company to closely monitor the campaign and its impact.

Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which were in China. These are most likely compromised machines, repurposed to scan and infect new victims. 

While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.

By analysing the attacker’s log files, Guardicore was able to obtain information on the compromised machines. 

The majority (60%) of infected machines were only infected for only a short period of time. 
However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. 

This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products, says Guardicore. 

Alternatively, it is very likely that those do not exist on servers in the first place.

“We have noticed that 10% of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again,” says Guardicore Labs security researcher Ophir Harpaz. 

“This reinfection pattern has been seen by Guardicore Labs before in the analysis of the Smominru campaign, and suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”

Story image
Nokia: Cyber attacks on internet-connected devices on the rise
Cyberattacks on internet-connected devices continue to rise at an alarming rate due to poor security protections.More
Story image
SOC, SIEM, SOAR and SASE define Fortinet’s Security Fabric
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, deciphers the jargon and explains how an alphabet soup of integrated security services spells comprehensive protection for your network and ensures business continuity.More
Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
How to secure your business against DDoS Attacks
With the upward trend of DDoS attacks this year, and an increased dependency on online channels across all industries, businesses need to be prepared, so they don’t suffer any disruption. More