As threat actors seek to gain access to enterprise infrastructure, they are increasingly turning to Microsoft SQL Server as their preferred entry point, warns a new report from Kaspersky.
Their research indicates that attacks using Microsoft SQL Server increased by more than half (56%) in September 2022 compared to the same period last year, with the number of compromised servers reaching more than in that month alone. 3.000 terminals.
With the exception of July and August, the number of such attacks has risen steadily over the past year, Kaspersky added, and has remained above 3.000 since April 2022.
sloppy defense
“Despite the popularity of Microsoft SQL Server, organizations may not give high priority to protecting against threats associated with the software. Attacks using malicious SQL Server tasks have been known for a long time, but perpetrators still use them to gain access to a company's infrastructure,” said Sergey Soldatov, Head of Kaspersky's Security Operations Center.
There have been several recent incidents where Microsoft SQL servers have been abused by threat actors, with the latest occurring just over a month ago. In late September 2022, cybersecurity researchers from AhnLab Security Emergency Response Center reported an ongoing campaign distributing FARGO ransomware to MS-SQL servers. In this incident, the attackers opted for endpoints that were either unprotected (opens in a new tab) or protected with weak, easily hackable passwords.
In April, however, threat actors were observed installing Cobalt Strike beacons on such devices. News of attacks against MS-SQL also appeared in May, June and October of this year.
In most cases, hackers scan the Internet for endpoints with an open TCP port 1433 and then carry out brute force attacks against them until they guess the password.