Microsoft warns of attacks targeting MSSQL servers using the tool sqlps

Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online.

Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary).

Microsoft warned of the attacks in a series of tweets, it doesn’t attribute them to a specific threat actor.

The sqlps.exe utility is described by Microsoft as a PowerShell wrapper for running SQL-built cmdlets.

The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem. pic.twitter.com/Tro0NfMD0j

— Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022

The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners. pic.twitter.com/stXJMDMevc

— Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022

Threat actors also use sqlps.exe to create a new account that they add to the sysadmin role, allowing them to take full control of the SQL server instance. Then the attackers are able to perform other malicious actions, such as deploying malware.

The attack is fileless and do not leave traces on the targeted systems bypassing antimalware solutions.

Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny.

— Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022

Experts pointed out that the use of the sqlps tool allows to bypass Script Blocmdletck Logging, used to record the content of all script blocks that it processes.

The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code.

— Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022

Experts recommend to not expose MSSQL servers online, secure them with string admin credentials, apply the latest security updates, enable logging to monitor for potentially attack patters.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSSQL servers)

The post Microsoft warns of attacks targeting MSSQL servers using the tool sqlps appeared first on Security Affairs.