MSSQL databases are under attack by a new devastating attack campaign. This time it is a dangerous malware called MrbMiner which is devised by an experienced hacking group. At this moment there is no information available about the identity of the criminals behind it. The name was given to the virus after one of the domain names which was registered to spread it.The attacks using a botnet approach — numerous computers and hacked hosts are tasked with the goal of automatically identifying accessible database servers on a given network. If such is found an automated script will be invoked which will attempt to leverage various security exploits. The main technique used is the brute force attempts that will use a dictionary or algorithm-based lists of usernames and passwords of the administrative users.A new malware gang has made a name for itself over the past few months by hacking into Microsoft SQL Servers (MSSQL) and installing a crypto-miner.
Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.In a report published earlier this month, Tencent Security named this new malware gang MrbMiner, after one of the domains used by the group to host their malware. The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.
Once the attackers gain a foothold on a system, they download an initial assm.exe file, which establishes a (re)boot persistence mechanism and adds a backdoor account for future access. Tencent says this account uses the username “Default” and a password of “@fg125kjnhn987.”
The last step of the infection process was to connect to the command and control server and download an app a Trojan module. that mines the Monero (XMR) cryptocurrency by abusing local server resources and generating XMR coins into accounts controlled by the attackers. It is used to keep a connection to the hacker-controlled server. It is used to take over control of the systems and steal any files and data from the hacked hosts. Usually, database servers are built on top of enterprise-grade and performance-optimized servers. For this reason, the hackers behind the ongoing campaign have implemented another dangerous action – to deploy a cryptocurrency miner. This is a script configured to download multiple performance-intensive complex tasks onto the infected servers. They will run automatically which will have a crippling effect on the usability of the systems. For every reported and completed the job the hackers will receive cryptocurrency assets as a reward.
The attacks will probably change in the near future. They are particularly useful for spreading dangerous malware such as the Qbot Trojan.
LINUX AND ARM VARIANTS ALSO DISCOVERED
The MrbMiner C&C server also contained versions of the group’s malware written to target Linux servers and ARM-based systems.
The Monero wallet used for the MbrMiner version deployed on MSSQL servers stored 7 XMR (~$630). While the two sums are small, crypto-mining gangs are known to use multiple wallets for their operations, and the group has most likely generated much larger profits.
For now, what system administrators need to do is to scan their MSSQL servers for the presence of the Default/@fg125kjnhn987 backdoor account. In case they find systems with this account configured, full network audits are recommended.
A T-SQL query that will collect data for you:
SELECT COUNT(*)
FROM sys.sql_logins AS s
WHERE s.[name] = ‘Default’
AND PWDCOMPARE(‘@fg125kjnhn987.’, s.password_hash) = 1