01.04.2020

Microsoft SQL Servers under attack

Guardicore Labs uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. Dating back to May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. Guardicore dubbed the campaign Vollgar after the Vollar cryptocurreny it mines and its offensive, vulgar behaviour.

Having MS-SQL servers exposed to the internet with weak credentials is not the best of practices. This might explain how this campaign has managed to infect around 3k database machines daily. Victims belong to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.

A full list of IOCs (Indicators of Compromise) as well as a detection script can be found in Guardicore Labs Campaigns repository.