An attack group operating from China has been compromising MS-SQL database servers by the thousands for nearly two years, installing multiple backdoors and remote access trojans on the machines, and eventually mining multiple cryptocurrencies.
The campaign has been ongoing since about May 2018 and has affected organizations in a number of industries in the United States, China, South Korea, India, and Turkey, and some of the servers have been infected multiple times over the course of the campaign. Researchers at Guardicore Labs discovered the campaign and found that while the initial infection vector is quite simple, it has been highly effective for an extended period of time thanks to the large number of MS-SQL Server instances exposed to the Internet with weak credentials.
"This attack campaign, like many others of its kind, is opportunistic - it scans the internet for machines with MS-SQL port (1433) open, and breaches these machines using brute-force. We have not seen any evidence of specific targeting. However, once infected - compromised servers send identifying information to the attacker’s command-and-control server, informing them with the machine’s public IP, geolocation, computer name and CPU model. This data will be used when the attacker sells access to these machines on the dark web," Ophir Harpaz of Guardicore said in an email.
The attackers, named Vollgar by the Guardicore researchers, scan the Internet for those exposed machines, often with already compromised servers that are drafted into service, and then try to brute force the passwords. The next step is making a few changes to the configuration of the compromised server to make it easier to use for future tasks.
“Following these settings changes, the attacker performs a series of steps to make the system as out-of-the-box as possible. For example, the attacker validates that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary. The Vollgar attacker also ensures that strategic files such as cmd.exe and ftp.exe have execution permissions,” Harpaz wrote in an analysis of the attacks.
“Planning ahead, the attacker sets multiple backdoor users on the machine – both in the MS-SQL database context and in that of the operating system. In both cases, the users are added to the administrators group to ‘arm’ them with elevated privileges.”
With all of that done, the attackers then hunt for any other malware on a newly compromised server and remove it. The Vollgar attackers also remove a number of registry values that are used by attackers to attach malware to legitimate executables and then installs three separate scripts in different places on the machine to be used as downloaders. In a somewhat unusual twist, the attackers are not using a dedicated attack infrastructure, but instead are running their operations from a machine in China that has been compromised by several other attackers. The Guardicore researchers discovered numerous individual backdoors on the machine. Many of the domains involved in the campaign are registered on freely available top-level domains and the attackers use a web of shell companies and hosting providers to prop up their efforts
“The attacker held their entire infrastructure on the compromised machine. Among the files was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database and executing commands remotely. In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP,” Harpaz said.
Eventually, the attackers get around to installing the cryptominers after installing multiple RATs and various other modules.
“Each RAT module attempts to connect to the CNC server on a different port. Ports we’ve seen include 22251, 9383 and 3213. It is fair to assume that the simultaneous connections are for redundancy in case one of the CNCs is down. The communication between the client and server starts with an initial report of information, then continues with periodic heartbeats once every ten seconds,” Harpaz said.
“The attacker is mining both Monero and an alt-coin named VDS, or Vollar. This is an unusual cryptocurrency, combining elements of Monero (full privacy) and Ethereum (smart contracts), pegged relatively close to the dollar.”
Harpaz said that the Vollgar attackers have infected as many as 3,000 servers a day.