Man
Professional
- Messages
- 3,222
- Reaction score
- 807
- Points
- 113
Another legal tool becomes the key to your data.
Experts from the AhnLab Security Intelligence Center (ASEC) have discovered new attacks on MS-SQL servers that use unprotected accounts and weak passwords. As part of the malicious campaign, the attackers used a legitimate remote control tool GotoHTTP, which was previously rarely seen in such operations.
Hackers are much more likely to use tools such as AnyDesk, TeamViewer, or AmmyyAdmin. They are also designed to legally manage systems remotely, but there is nothing stopping cybercriminals from using them for their illegal purposes.
In this MS-SQL hacking campaign, the attackers first installed the CLR SqlShell, which is similar to WebShell for regular web servers. SqlShell provides access to commands and system management capabilities on the compromised host. With this tool, the attackers collected device and network information using commands like «whoami.exe", «systeminfo.exe", and «netstat.exe".
The next stage of the attack was the introduction of special privilege escalation tools, such as PetitPotato, SweetPotato, and others from the "Potato" series. These programs allow attackers to bypass low-privilege restrictions on the system and gain more complete access to management functions. In addition, in this attack, hackers created new accounts with passwords that could provide reaccess to the system in the future.
At the same time, the attackers installed the GotoHTTP program to remotely control the server. Once it is launched, a configuration file with "Computer ID" and "Access Code" is automatically created, which allows remote control of the infected system. Access to this data gives attackers the ability to take full control through a graphical interface.
This case demonstrates a continuing trend in the actions of cybercriminals: the use of already existing legal utilities instead of creating their own malware from scratch or renting software using the MaaS model. In addition, legitimate software allows attackers to bypass protection tools, since antiviruses do not respond in any way to the conditional AnyDesk, which is often used by administrators for legitimate remote management of systems.
The main target of such attacks on MS-SQL servers is systems with weak passwords, which allows attackers to carry out brute-force or dictionary attacks. Experts recommend using complex and frequently changing passwords, as well as regularly updating antivirus solutions to the latest versions. Additional protection will be the restriction of access to servers through firewalls and other security tools.
In the face of an increase in attacks on vulnerable MS-SQL servers, administrators are advised to closely monitor the security of systems and apply all possible measures to strengthen protection.
Source
Experts from the AhnLab Security Intelligence Center (ASEC) have discovered new attacks on MS-SQL servers that use unprotected accounts and weak passwords. As part of the malicious campaign, the attackers used a legitimate remote control tool GotoHTTP, which was previously rarely seen in such operations.
Hackers are much more likely to use tools such as AnyDesk, TeamViewer, or AmmyyAdmin. They are also designed to legally manage systems remotely, but there is nothing stopping cybercriminals from using them for their illegal purposes.
In this MS-SQL hacking campaign, the attackers first installed the CLR SqlShell, which is similar to WebShell for regular web servers. SqlShell provides access to commands and system management capabilities on the compromised host. With this tool, the attackers collected device and network information using commands like «whoami.exe", «systeminfo.exe", and «netstat.exe".
The next stage of the attack was the introduction of special privilege escalation tools, such as PetitPotato, SweetPotato, and others from the "Potato" series. These programs allow attackers to bypass low-privilege restrictions on the system and gain more complete access to management functions. In addition, in this attack, hackers created new accounts with passwords that could provide reaccess to the system in the future.
At the same time, the attackers installed the GotoHTTP program to remotely control the server. Once it is launched, a configuration file with "Computer ID" and "Access Code" is automatically created, which allows remote control of the infected system. Access to this data gives attackers the ability to take full control through a graphical interface.
This case demonstrates a continuing trend in the actions of cybercriminals: the use of already existing legal utilities instead of creating their own malware from scratch or renting software using the MaaS model. In addition, legitimate software allows attackers to bypass protection tools, since antiviruses do not respond in any way to the conditional AnyDesk, which is often used by administrators for legitimate remote management of systems.
The main target of such attacks on MS-SQL servers is systems with weak passwords, which allows attackers to carry out brute-force or dictionary attacks. Experts recommend using complex and frequently changing passwords, as well as regularly updating antivirus solutions to the latest versions. Additional protection will be the restriction of access to servers through firewalls and other security tools.
In the face of an increase in attacks on vulnerable MS-SQL servers, administrators are advised to closely monitor the security of systems and apply all possible measures to strengthen protection.
Source
