sb-eu logo
Story image

Guardicore Labs exposes brute force MS-SQL attack campaign

02 Apr 2020

Guardicore Labs, a company specialising in cloud and data centre security, has today revealed its efforts to uncover a long-running attack campaign which aims to infect Windows machines running Microsoft SQL (MS-SQL) servers. 

The cyber attack campaign, named Vollgar by Guardicore, dates back to May 2018 and uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. 

Guardicore says the combination of weak credentials and having MS-SQL servers exposed to the internet made for a dangerously attractive lure for cyber attackers.

The company says these are the characteristics leading to the infection of around 3,000 database machines daily. 

Victims belonged to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

The first incident of this campaign appeared in May 2018 in Guardicore’s Global Sensors Network (GGSN), a network of high-interaction honeypots. 

During its two years of activity, the campaign’s attack flow has remained similar – thorough, well-planned and noisy. Guardicore says a peak in the number of incidents in last December drew the company to closely monitor the campaign and its impact.

Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which were in China. These are most likely compromised machines, repurposed to scan and infect new victims. 

While some of them were short-lived and responsible for only several incidents, a couple of source IPs were active for over three months, attacking the GGSN dozens of times.

By analysing the attacker’s log files, Guardicore was able to obtain information on the compromised machines. 

The majority (60%) of infected machines were only infected for only a short period of time. 
However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. 

This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products, says Guardicore. 

Alternatively, it is very likely that those do not exist on servers in the first place.

“We have noticed that 10% of the victims were reinfected by the malware; the system administrator may have removed the malware, and then got hit by it again,” says Guardicore Labs security researcher Ophir Harpaz. 

“This reinfection pattern has been seen by Guardicore Labs before in the analysis of the Smominru campaign, and suggests that malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”

Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More
Story image
Huawei: Corporates must focus on data minimisation and business continuity to mitigate data security challenges
"From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default."More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
Emotet remains leading malware in global threat index
The malware has impacted 7% of organisations globally, following a spam campaign which targeted more than 100,000 users per day during the holiday season.More
Story image
Top security threats for 2021
2021 will see several themes develop into full blown security threats, many of them borne from the struggles of pandemic-stricken 2020, writes Wontok head of technology Mick Esber.More
Story image
OVHcloud, IBM, Atempo Group develop tape-based SaaS for data centres
The offering will be based on IBM’s 3592 enterprise tape technologies and leverage Atempo’s Miria platform, while OVHcloud will host and operate it through data centres in the French territory.More