Surge in malware attacks on MSSQL server up 84%

Devesh Beri

Over the past six months, there has been a significant increase in malware attacks targeting Microsoft SQL (MSSQL) Server as an intrusion method. Security experts have observed a shift in hacker tactics, moving away from previously blocked techniques.

Just yesterday, Microsoft addressed the malicious exploitation of certified Windows drivers.

According to the report from ESET, a cybersecurity firm, the number of MSSQL attacks has risen by 84% between the second half of 2022 and the first half of 2023.

This surge in attacks exploiting MSSQL as a vector can be attributed to Microsoft’s decision to block Virtual Basic for Applications (VBA) macros in Office documents by default last year. For years, cybersecurity professionals had advocated for stricter default controls on VBA macros, and Microsoft finally implemented these changes.

Historically, cybercriminals frequently used VBA macros in Office documents to embed malware distributed through phishing campaigns. However, after Microsoft blocked this attack avenue, researchers observed a clear increase in attacks utilizing OneNote as an alternative vector. Malicious actors behind malware like Emotet started exploiting .one files to deceive users into executing malicious scripts, moving away from their previous reliance on VBA macros.

ESET’s report highlights that Microsoft’s actions to block VBA macros and enhance OneNote’s security have led cybercriminals to explore other intrusion vectors, particularly MSSQL, for future attacks. MSSQL is a widely-used solution for regional database management. When MSSQL servers are exposed to the internet, they become attractive targets for hackers. These servers can be accessed via port 1433, which exposes them to brute-force password-guessing attempts by threat actors.

ESET emphasizes that organizations with weak passwords or improperly managed servers are especially vulnerable. They reference an AhnLab report from April, which examined a case of ransomware installed on MSSQL servers due to easily guessable credentials.

Telemetry data reveals a staggering 1.7 billion failed password-guessing attempts against MSSQL from December 2022 to May 2023.

While attacks on MSSQL have increased, there has been a decline in brute-force attempts on other commonly targeted attack vectors. For instance, attacks on Remote Desktop Protocol (RDP), often exploited for malware like RDStealer, dropped by 22% from 17.9 billion to 15.8 billion during the same period.

Brute-force attacks are among the preferred password-cracking techniques employed by hackers. They rely on weak password strategies, such as password reuse or the absence of complexity controls within organizations.

Ladislav Janko, a senior detection engineer at ESET, advises database administrators to consider the security advantages of Windows Authentication mode when setting up the database engine. In this mode, SQL Server Authentication is disabled, and users must connect through their Windows user account, which can be protected with an account lockout policy to halt brute-force attacks effectively.

If using mixed mode is unavoidable, organizations should ensure strong passwords and place the database behind a firewall or VPN, if feasible.

via ITPro