SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Guardicore Labs exposes brute force MS-SQL attack campaign
Thu, 2nd Apr 2020
FYI, this story is more than a year old

Guardicore Labs, a company specialising in cloud and data center security, has today revealed its efforts to uncover a long-running attack campaign which aims to infect Windows machines running Microsoft SQL (MS-SQL) servers.

The cyber attack campaign, named Vollgar by Guardicore, dates back to May 2018 and uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers.

Guardicore says the combination of weak credentials and having MS-SQL servers exposed to the internet made for a dangerously attractive lure for cyber attackers.

The company says these are the characteristics leading to the infection of around 3,000 database machines daily.

Victims belonged to various industry sectors, including healthcare, aviation, IT - telecommunications and higher education.

The first incident of this campaign appeared in May 2018 in Guardicore's Global Sensors Network (GGSN), a network of high-interaction honeypots.

During its two years of activity, the campaign's attack flow has remained similar – thorough, well-planned and noisy. Guardicore says a peak in the number of incidents in last December drew the company to closely monitor the campaign and its impact.

Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which were in China. These are most likely compromised machines, repurposed to scan and infect new victims.

While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.

By analysing the attacker's log files, Guardicore was able to obtain information on the compromised machines.

The majority (60%) of infected machines were only infected for only a short period of time. 
However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks.

This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products, says Guardicore.

Alternatively, it is very likely that those do not exist on servers in the first place.

“We have noticed that 10% of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again,” says Guardicore Labs security researcher Ophir Harpaz.

“This reinfection pattern has been seen by Guardicore Labs before in the analysis of the Smominru campaign, and suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.