“Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Microsoft says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary)” (Bleeping Computer, 2022).
The threat actors are using the sqlps[.]exe utility to achieve fileless persistence. The executable is a PowerShell wrapper used for running SQL-built commands. The executable is also used to create a new sysadmin account which allows them to take control of the SQL server. Then, from there, they perform other actions & deploy additional payloads like ransomware or cryptominers.
Most alarming, using sqlps allows the threat actors to hide their PowerShell commands from network detection tools. The researchers say that, sqlps is an effective way to bypass Script Block Logging, a PowerShell capability that would log cmdlet operations in the Windows event log.
This is not the first time attacks like these have been reported. Back in March of this year, MSSQL servers were targeted by a remote access trojan called Gh0stCringe (CirenegRAT). Threat actors have occasionally compromised MSSQL servers to drop Cobalt Strike beacons.
To defend against MSSQL server attacks. admins should:
- Never expose MSSQL servers to the Internet
- Use strong admin passwords that can’t be guessed or brute-forced (and should be placed behind a firewall)
- Admins should enable logging to monitor for suspicious or unexpected activity including recurring login attempts
- Always apply the latest security updates, which will block the most recent exploits against known vulnerabilities