Malicious Campaign Targeting MS-SQL Servers Discovered by Researchers
Cybersecurity experts have identified a prolonged malicious campaign that has been active since May 2018, focusing on Windows machines equipped with MS-SQL servers. The campaign, named “Vollgar” after the Vollar cryptocurrency it mines, is aimed at deploying backdoors and diverse malware, including multifunctional remote access tools (RATs) and cryptominers. Researchers from Guardicore Labs have uncovered that the attackers are employing password brute-force techniques to breach Microsoft SQL servers harboring weak credentials exposed to the Internet.
Recent analyses indicate that the attackers have successfully compromised approximately 2,000 to 3,000 database servers daily, primarily impacting sectors such as healthcare, aviation, IT and telecommunications, and education. Notably, the targets span multiple countries, including China, India, the United States, South Korea, and Turkey. The campaign exemplifies a growing trend of attacks aimed at exploiting vulnerabilities in poorly protected database servers to exfiltrate sensitive information.
To assist stakeholders in mitigating this threat, Guardicore researchers have released a detection script that system administrators can utilize to check if their MS-SQL servers have been compromised.
The Vollgar attack chain initiates with brute-force login attempts on MS-SQL servers. Upon successful penetration, attackers execute configuration changes that enable malicious MS-SQL commands and the downloading of malware binaries. During this phase, attackers also verify the availability of certain COM classes—specifically WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0, and the Windows Script Host Object Model (Wshom)—which facilitate WMI scripting and command execution through MS-SQL, laying the groundwork for downloading the initial malware payload.
Further along the attack path, operators ensure that essential executables, such as cmd.exe and ftp.exe, have the requisite execute permissions. Additionally, new backdoor users are created both within the MS-SQL database and the operating system, granting elevated privileges. Initial setup efforts culminate in the deployment of downloader scripts, executed multiple times with varied target locations on the local filesystem to mitigate potential failures.
One of the initial payloads, identified as SQLAGENTIDC.exe or SQLAGENTVDC.exe, systemically terminates a list of processes to free up system resources while erasing the traces of other threat actors. This payload serves as a dropper for various RATs and an XMRig-based crypto-miner that targets Monero, as well as the Vollar alt-coin.
Guardicore noted that attackers have established their infrastructure on compromised systems, including a principal command-and-control server located in China, which has faced numerous attacks from multiple threat groups. The C2 server contains the MS-SQL attack tool responsible for scanning IP ranges, performing brute-force attacks on targeted databases, and executing commands remotely.
Upon communication with the infected Windows client, the C2 server gathers critical machine details such as the public IP, geographical location, operating system version, and CPU model. Guardicore emphasized that the C2 software operated by different vendors shares similar capabilities for remote control, including file downloads, installation of new Windows services, keylogging, and even executing Distributed Denial-of-Service (DDoS) attacks.
In light of the significant number of machines running MS-SQL database services—estimates suggest around half a million—this campaign serves as a stark reminder of the imperative need for robust cybersecurity measures. Weakly credentialed MS-SQL servers provide a tempting target for attackers, who are drawn not only by the valuable computational power but also by the extensive troves of data these machines hold, including sensitive personal information. Businesses are urged to implement strong password policies and other security measures to protect against such brute-force attacks.
This incident underscores the importance of continuous vigilance and the necessity for organizations to adopt comprehensive security practices in the face of evolving cyber threats. The MITRE ATT&CK framework highlights tactics such as initial access through brute-force attacks and persistence through the establishment of backdoor users, elucidating methods that attackers may employ in future campaigns.
