Botnet targets Microsoft hackers digging with MSSQL database for nearly two years

Microsoft recently announced that it had destroyed Necurs, one of the world’s largest botnets, in 35 countries, and recently targeted it for nearly two years by the botnet Vollgar. Botnet Vollgar has hacked Microsoft for nearly two years, attacking nearly 3,000 databases a day

Recently, the Guardicore Labs team released an analysis of a long-term attack activity that focused on Windows systems running MS-SQL services. The analysis reports that the attack began at least in May 2018 and has been known as “Vollgar” for nearly two years.

The Vollgar attack was the first to attempt a brute force login on an MS-SQL server, allowing the attacker to make many configuration changes to run malicious MS-SQL commands and download malware binaries.

Botnet targets Microsoft hackers digging with MSSQL database for nearly two years

Once the malware has successfully taken control of brute force, it uses these databases to mine cryptocurrencies. Currently, the cryptocurrencies being mined are V-Dimension and Monero.

In addition, the attacker behind Vollgar created new backdoor accounts for the MS-SQL database and the operating system with higher privileges.

Once the initial setup is complete, the attack continues to create downloader scripts (two VBScripts and one FTP script) that will be executed “multiple times” each time using a different target location on the local file system to avoid discovery.

One of these initial payloads, called SQLAGENTIDC.exe/SQLAGENTVDC.exe, first kills a long list of processes, with the goal of ensuring the maximum number of system resources, eliminating the activity of other threat participants, and removing their presence from infected computers.

It is worth noting that 61% of computers are infected for only 2 days or less, and 21% are infected for 7-14 days or more, with 17.1% of the computers being repeatedly infected. The latter scenario may be due to a lack of proper security measures that prevent the malware from being completely eliminated the first time the server is infected.

The report says 2-3,000 databases are captured every day in Vollgar attacks, including in countries such as China, India, South Korea, Turkey and the United States, affecting industries ranging from healthcare, aviation, IT, telecommunications, and education.

Botnet targets Microsoft hackers digging with MSSQL database for nearly two years

In addition to consuming CPU resources to mine, these database servers attract attackers because of the amount of data they have. These machines may store personal information, such as user names, passwords, credit card numbers, etc., which can fall into the hands of attackers with simple violence.

It’s a little scary.

How do I check myself?

So is there any way to defend against such an attack ahead of time?

To help infected people, Guardicore Labs also offers PowerShell self-check script Script – detect_vollgar.ps1, self-check script detect_vollgar.ps1 for local attack trace detection as follows:

1. Malicious payload in the file system;

2. The name of the task of the malicious service process;

3. Backdoor username.

With script download link:

https://github.com/guardicore/labs_campaigns/tree/master/Vollgar

The library also provides script ingendpage guidelines and recommendations for action, including:

Immediately isolate infected computers and prevent them from accessing other assets in the network.

Change all MS-SQL user account passwords to strong passwords to avoid being re-infected by this or other brute force attack.

Turn off the database account login method, log on to the database as a windows authentication, and set the password strength in the windows policy.

Strengthen the prevention and management of network boundary intrusion, set up firewall and other network security equipment at the network entrance and exit, and block unnecessary communication.

Secure troubleshooting of network devices, servers, operating systems, and application systems exposed to the Internet, including, but not limited to vulnerability scanning, Trojan monitoring, configuration verification, WEB vulnerability detection, website penetration testing, etc.

Strengthen security management, establish network security emergency disposal mechanism, enable network and operation log audit, arrange network watch, do a good job of monitoring measures, timely detection of attack risk, timely treatment.

Reference source:

https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/

https://github.com/guardicore/labs_campaigns/tree/master/Vollgar