As threat actors seek to gain access to corporate infrastructure, they’re increasingly turning to Microsoft SQL Server as their entry point of preference, a new report from Kaspersky has warned.
Its research claims attacks using Microsoft SQL Server rose by more than half (56%) in September 2022 compared to the same period last year, as during that month alone, the number of compromised servers grew to more than 3,000 endpoints.
With July and August being the exception, the number of such attacks has been gradually increasing over the past year, Kaspersky added, and kept above 3,000 since April 2022.
“Despite Microsoft SQL Server’s popularity, companies may not be giving sufficient priority to protect against threats associated with the software. Attacks using malicious SQL Server jobs have been known for a long time, but it is still used by perpetrators to gain access to a company’s infrastructure,” said Sergey Soldatov, Head of Security Operations Center at Kaspersky.
There had been multiple recent incidents where Microsoft SQL Servers has been abused by threat actors, with the latest coming just over a month ago. In late September 2022, cybersecurity researchers from AhnLab Security Emergency Response Center reported of an ongoing campaign distributing the FARGO ransomware to MS-SQL servers. In this incident, the attackers went for unprotected endpoints (opens in new tab), or those guarded by weak and easily cracked passwords.
In April, on the other hand, threat actors were observed installing Cobalt Strike beacons on such devices. News of attacks against MS-SQL has also popped up in May, June, as well as October, this year.
In most instances, threat actors would scan the internet for endpoints with an open TCP port 1433, and then conduct brute-force attacks against them, until they guess the password.