SQL Server, botnet and Cryptomining... is your SQL SERVER safe?
Hi Guys,
Welcome back!
Today we talk about security!
Lately infact also SQL Server is used to execute malware and so
exploiting their compute power to mine cryptocurrency!
Are you ready to know if your SQL Server is safe?
Introduction
Yeah, this time attackers have sniffed the businnes: use Server in order to mine cryptocurrency such as Vollar and Monero!But How they do it?
Anatomy of an attack!
How they do it?Usually attackers gain the access to the targeted SQL Server databases by brute force method.
(And so use wear password for the system administrator user is not a good idea...)
Once attackers achieved the access with the sa user they apply changes to the database in order to allow command execution.
Then simply download malware binaries and open multiple backdoor.
Then remove traces of the malware activity and finally execute malware that execute the cryptomining procedure.
The whole process told in this way seems simple enough and in fact it is!
So first of all remember to set a not weak password! And remember to do not set se same password for all you server....
But how to find if your server is infected?
How to detect if your server is infected.
First of all take a look if your CPU usage is unusually high.
This is pretty simple and should make you suspicious!
Here i report a procedure to detect if your system is infected by a malware used to mining Vollgar.
You should use the powershell in order to execute the script below that you can find at https://github.com/guardicore/labs_campaigns/blob/master/Vollgar/detect_vollgar.ps1
# Script to detect the existence of Vollgar IoCs on an infected machine
#
#Requires -Version 2.0
$ErrorActionPreference = "silentlycontinue"
$VollgarFound = $false
# IoCs
$SERVICE_NAME = "SQLAGENT MSSQL SQLIOSIMSA"
$USER_NAME = "IUER_SERVER"
$ADMIN_TEMP = "C:\Users\Administrator\AppData\Local\Temp"
$FILE_PATHS = "C:\ProgramData\wget.vbs", "C:\ProgramData\SQLAGENTIDC.exe", "C:\RECYCLER\SQLAGENTIDC.exe", "C:\SQLAGENTIDC.exe", "C:\RECYCLER\wget.vbs", "C:\RECYCLER\SQLAGENTIDC.exe", "C:\ProgramData\SQLAGENTIDC.exe", "C:\SQLAGENTIDC.exe", "C:\ProgramData\emsda.vbs", "C:\RECYCLER\emsda.vbs", "$ENV:TEMP\SQLAGENTSWA.exe", "$ENV:TEMP\SQLIOMDSD.exe", "$ENV:TEMP\SQLSernsf.exe", "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe", "startas.bat", "C:\Users\MSSQL~1\AppData\Local\Temp\startas.bat", "C:\Users\MSSQLSERVER\AppData\Local\Temp\startas.bat", "C:\Windows\Temp\startas.bat", "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\startas.bat", "$ADMIN_TEMP\startas.bat", "$ADMIN_TEMP\1\startas.bat", "$ADMIN_TEMP\2\startas.bat", "$ADMIN_TEMP\3\startas.bat", "$ADMIN_TEMP\4\startas.bat", "$ADMIN_TEMP\5\startas.bat", "startae.bat", "C:\Users\MSSQL~1\AppData\Local\Temp\startae.bat", "C:\Users\MSSQLSERVER\AppData\Local\Temp\startae.bat", "C:\Windows\Temp\startae.bat", "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\startae.bat", "$ADMIN_TEMP\startae.bat", "$ADMIN_TEMP\1\startae.bat", "$ADMIN_TEMP\2\startae.bat", "$ADMIN_TEMP\3\startae.bat", "$ADMIN_TEMP\4\startae.bat", "$ADMIN_TEMP\5\startae.bat"
$SCHEDULED_TASKS_NAMES = ".NET Framework NGEN v0.2.212294", ".NET Framework NGEN v0.2.212294 64", ".NET Framework NGEN v0.2.213394", ".NET Framework NGEN v0.2.213394 64", ".NET Framework NGEN v0.2.214294", ".NET Framework NGEN v0.2.214294 64", ".NET Framework NGEN v0.2.215394", ".NET Framework NGEN v0.2.215394 64"
Write-Output "Vollgar Campaign Detection Tool"
Write-Output "Written By Guardicore Labs"
Write-Output "Contact us at: labs@guardicore.com`n"
# Detect service
$serviceFound = Get-Service -Name $SERVICE_NAME
if ($serviceFound) {
$VollgarFound = $true
Write-Output "[X] Service $SERVICE_NAME was found on this host."
}
else {
Write-Output "[V] Vollgar's malicious service $SERVICE_NAME was not found on this host."
}
# Detect Added Local User
$userFound = Get-WmiObject -Class Win32_UserAccount -Filter "Name='$USER_NAME'"
if ($userFound) {
$VollgarFound = $true
Write-Output "[X] User $USER_NAME was found on this host."
}
else {
Write-Output "[V] Vollgar's local user $USER_NAME was not found on this host."
}
# Detect Dropped Payloads
$payloadsFound = $false
foreach ($pn in $FILE_PATHS) {
if ([System.IO.File]::Exists($pn)) {
$VollgarFound = $payloadsFound = $true
Write-Output "[X] A malicious payload was found in $pn."
}
}
if (!$payloadsFound) {
Write-Output "[V] No malicious payloads were found."
}
# Check scheduled tasks created by u.exe
$schedtaskFound = $false
foreach ($tn in $SCHEDULED_TASKS_NAMES) {
$taskObj = schtasks.exe /Query /TN $tn 2>$null
if ($taskObj) {
$VollgarFound = $schedtaskFound = $true
Write-Output "[X] A malicious scheduled task '$tn' was found on this host."
}
}
if (!$schedtaskFound) {
Write-Output "[V] No malicious scheduled tasks were found."
}
# Summary
if ($VollgarFound) {
Write-Output "`n[X] Evidence for the Vollgar campaign has been found on this host."
}
else {
Write-Output "`n[V] No evidence for the Vollgar campaign has been found on this host."
}
#
If you found that your sistem is infected please contact a valid an SQL Server Expert!
That's all for today!
See you soon and don't forget please to subscribe to this blog if you want receive a notification when a new post is published!
Luca
Luca Biondi @ SQLServerPerformance blog 2020!
Previous post: SQL Server: About the for triggers and the After triggers
A to a great degree brilliant blog passage. We are really grateful for your blog passage. fight, law usage You will find an extensive measure of techniques in the wake of heading off to your post. I was absolutely examining for. An obligation of appreciation is all together for such post and please keep it up. Mind blowing work. how to invest in bitcoin cash online
ReplyDeleteHi there,
ReplyDeleteThank you so much for the post you do and also I like your post, Are you looking for Buy best cryptocurrency mining hardware; Buy bitcoin mining calculator; best mining calculator; Buy crypto mining calculator; mining profitability calculator online; cryptocurrency mining hardware online; Buy bitcoin mining hardware; used crypto mining equipment; bitcoin miner software; free bitcoin mining software; best bitcoin mining hardware; bitcoin mining machine; is bitcoin mining profitable; how to mine bitcoin; Buy bitcoin mining calculator; best cryptocurrency mining shop; reliable bitcoin mining hardware; Online coin mining; Dash mining hardware online; best dash miner with the well price and our services are very fast.
Click here for MORE DETAILS......
CONTACT INFORMATION
Email: info@elitesolutionminers.com
WhatsApp: +1 (409) 777 1153
Emergency Text or call: +1 (409) 777 1153
Hi there,
ReplyDeleteThank you so much for the post you do and also I like your post, Are you looking for Buy best cryptocurrency miner online; Buy bitcoin mining calculator; best mining calculator; Buy crypto mining calculator; mining profitability calculator online; cryptocurrency mining hardware online; Buy bitcoin mining hardware; used crypto mining equipment; bitcoin miner software; free bitcoin mining software; best bitcoin mining hardware; bitcoin mining machine; is bitcoin mining profitable; how to mine bitcoin; Buy bitcoin mining calculator; best cryptocurrency mining shop; reliable bitcoin mining hardware; Online coin mining; Dash mining hardware online; best dash miner with the well price and our services are very fast.
Click here for MORE DETAILS......
CONTACT INFORMATION
Email: info@elitesolutionminers.com
WhatsApp: +1 (409) 777 1153
Emergency Text or call: +1 (409) 777 1153