Why you should review the security of your MSSQL servers

Brute-force credential guessing attacks against database servers are ramping up with MSSQL being at the top of the target list. That’s because attackers can leverage the many extensibility features that Microsoft’s database server provides to integrate with other Windows components and features to elevate their privileges and gain full control of the underlying servers.

Last week, researchers from security firm Trustwave released data collected over four months from their global honeypot project, a network of sensors distributed around the world to mimic vulnerable systems and record information about attacks. In this exercise, the honeypots were configured to act as popular database management systems (DBMS) running on their default ports: MS SQL Server (MSSQL), MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra and Couchbase.

“It quickly became clear that the activity of MSSQL has been much higher than other databases,” the researchers said. “The disproportion is so large (>93%) that comparing it to the other DBMSs was sometimes difficult.”

The researchers found that attacks happen in waves and have peaks, but the intensity of MSSQL brute-force attacks dwarfed those against any other database. For example, the second-most targeted database servers, MySQL and Redis, registered attack peaks of around 150,000 login attempts. By comparison, attacks against MSSQL honeypot sensors had peaks of over 3 million login attempts.

Another interesting finding is that even though Trustwave had MSSQL sensors deployed in different countries, attackers clearly displayed regional preferences in their attacks. For example, the sensors located in the UK were the most targeted ones with a bit higher number of attacks registered than those in China, even though China has a much higher number of MSSQL servers exposed to the internet. The US was in sixth place after countries like Ukraine, Russia, and Poland.

According to Shodan, more than 450,000 MSSQL instances are available on the internet with more than 133,000 instances located in China. One would expect China to top of the list for the number of attacks.

Why do attackers target MSSQL?

While MSSQL is certainly one of the most widely used database servers, it’s never been the most popular or most widely deployed because it’s only used on Windows servers. MySQL, Oracle, and PostgreSQL always top the popularity rankings. So why are MSSQL servers a more interesting target for attackers?

One could argue it’s because Windows is a more popular target than Linux and attackers are more likely to have malware tools developed for Windows. So, if the database server is the entry point into compromising the underlying server, then it makes sense more attackers would go for MSSQL. While that might be part of it, MSSQL also has deep and powerful integrations with the Windows servers it runs on, as shown by Trustwave’s analysis of the observed attacks.

How attackers exploit MSSQL access

In a new report, the researchers go over some of the actions and post-intrusion techniques they saw attackers use after gaining access to MSSQL servers via weak credentials. First, the most commonly targeted account name in the brute-force attempts was “sa”. This is a special superuser account that stands for “server authentication” and is normally disabled in most scenarios.

“The sa account is a well-known SQL Server account and it is often targeted by malicious users,” the Microsoft documentation says. “Don’t enable the sa account unless your application requires it. It’s important that you use a strong password for the sa login.”

The researchers observed two payload delivery methods once attackers gained access to a MSSQL account, both of which display deep knowledge of the platform and use interesting features that allow the server to integrate other technologies. One of them is the .NET Framework Common Language Runtime (CLR) Integration that allows MSSQL users to execute .NET code directly within the database engine to extend the SQL server functionality.

“When the bot is authenticated, it executes a SQL script to change the MSSQL config to be able to install a backdoor CLR assembly,” the Trustwave researchers said.

First, the attackers set the TRUSTWORTHY property on the database where their assembly code will be hosted and then will enabled the CLR feature for their malicious code to be able to run. The attackers then use the malicious CLR code to download and execute four malicious executable files on the underlying Windows server through the command line (cmd.exe).

Another observed payload delivery technique involved the abuse of the Object Linking and Embedding (OLE) automation procedure present in MSSQL Server that allows users to create Automation objects.

“Users can create and manipulate Automation objects in T-SQL code, which enables the integration of the SQL Server with other components of the Windows system, called Component Object Model (COM), which is a binary-interface standard for software components,” the researchers said.

Attackers were seen enabling OLE Automation Procedures as well as other server configuration options then used existing features to delete, add and modify various registry keys in preparation for a privilege escalation attack. They then start creating OLE objects.

“Exploits utilize the IDataInitialize, referred to by its class identifier (CLSID {00000566-0000-0010-8000-00AA006D2EA4}) provided by Microsoft’s OLE DB Service Component, to create and manage connections,” the researchers said. “Then, the bot creates the file F**kGothin.inf and writes hexadecimal binary content. F**kGothin.inf is a text file. These types of files are used to provide information to the system about how to install, configure, and manage software, drivers, or hardware components.”

After changing descriptors for various files and completing the privilege escalation process, the malicious process starts creating objects using “ADODB.Stream”, a COM object provided by Microsoft’s ActiveX Data Objects (ADO) library that allows writing binary or text data in memory. This is used to write several executables to disk including privilege escalation tools such as Potato (BadPotato, JuicyPotato, SweetPotato, EFSPotato) and PoC (CVE-2018-8639, CVE-2019-1458). The final goal is to deploy various Trojan programs on the system along with a cryptocurrency mining tool.

“The OLE Automation and CLR assembly are immensely powerful features, which makes them extremely dangerous,” the researchers said. “If you are not using OLE Automation and the CLR assembly, they need to be disabled. Disabling unnecessary features inside the database will reduce the attack surface, but as we illustrated, it will not eliminate it.”

Even if disabled, attackers can re-enable these features if they have administrative privileges to the database server, so changing the default administrative accounts such as “sa” and having strong password policies for them is very important.