[MART] - Daily Diary #513 - New Attacks Targeting MSSQL Servers

CTAS-MAT ctas-mat at appgate.com
Wed May 18 22:20:55 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

05/18/2022 - Diary entry #513:

A new series of attacks targeting Microsoft SQL servers were recently discovered. Using brute force to gain initial access, the attackers are using a LOLBin (living-off-the-land binary) utility.

Named sqlps.exe, it is a built-in utility present on all MSSQL servers which is a PowerShell wrapper for running SQL-built cmdlets. SqlPs is being used by attackers to run reconnaissance commands and to create a new account with sysadmin privileges, allowing them to take over the servers. Next, they can perform other malicious activities by deploying additional payloads like cryptocurrency miners. The attackers also invoke sqlps.exe using a fileless technique (i.e. without writing any data to disk), to bypass security solutions.

We covered the use of legitimate Windows binaries (LOLBins) by threat actors in some of our Daily Diaries (#56, #175, and #405). They are very used to remain undetected since the tools used in the attacks are commonly used by system administrators as well. The use of uncommon LOLBins like sqlps.exe shows that systems administrators and security solutions should monitor not only rogue applications but uncommon behavior of trusted software as well.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220518/ec0505ca/attachment.htm>


More information about the MART mailing list