Brute-force credential guessing attacks against database servers are on the rise, with MSSQL being the most targeted. Attackers are taking advantage of the extensibility features provided by Microsoft’s database server to gain control of underlying servers and elevate their privileges.
Security firm Trustwave recently released data from their global honeypot project, which collects information about attacks by mimicking vulnerable systems. The honeypots were configured to act as popular database management systems (DBMS), including MS SQL Server (MSSQL). The data showed that MSSQL was targeted much more frequently than other databases, with over 93% of all attacks focused on MSSQL.
The researchers found that attacks occurred in waves and had peaks, but the intensity of MSSQL brute-force attacks far surpassed those against any other database. While MySQL and Redis, the second-most targeted databases, experienced attack peaks of around 150,000 login attempts, MSSQL honeypot sensors had peaks of over 3 million login attempts.
Interestingly, attackers displayed regional preferences in their attacks. Trustwave deployed MSSQL sensors in different countries and found that the UK was the most targeted, followed by China, despite China having a significantly higher number of exposed MSSQL servers. The US ranked sixth on the list, behind countries like Ukraine, Russia, and Poland.
Shodan, a search engine for internet-connected devices, reported that there are over 450,000 MSSQL instances available on the internet, with over 133,000 located in China. Given these numbers, one would expect China to be at the top of the list for the number of attacks.
But why do attackers target MSSQL in particular? While it may not be the most popular or widely deployed database server, MSSQL stands out because it is primarily used on Windows servers. This makes it a more attractive target because attackers are more likely to have malware tools developed for Windows. Additionally, MSSQL has deep integrations with Windows servers, providing attackers with opportunities to leverage those features and gain control.
Trustwave’s researchers detailed some of the post-intrusion techniques that attackers use after gaining access to MSSQL servers via weak credentials. The most commonly targeted account in brute-force attempts was the “sa” account, a special superuser account that is typically disabled. Attackers exploit the TRUSTWORTHY property and the .NET Framework Common Language Runtime (CLR) Integration to execute malicious code within the database engine and download and execute malicious files on the underlying Windows server.
Another technique involves the abuse of the Object Linking and Embedding (OLE) automation procedure in MSSQL Server. Attackers manipulate Automation objects and use existing features to delete, add, and modify registry keys in preparation for a privilege escalation attack.
The researchers emphasized that disabling unnecessary features like OLE Automation and the CLR assembly can reduce the attack surface, but it will not eliminate it completely. Attackers with administrative privileges can re-enable these features, highlighting the importance of changing default administrative accounts like “sa” and implementing strong password policies.
In conclusion, MSSQL database servers are a prime target for brute-force credential guessing attacks due to their integrations with Windows servers and the popularity of the Windows platform among attackers. MSSQL’s extensibility features enable attackers to execute malicious code and perform privilege escalation attacks, making it critical for organizations to secure their MSSQL deployments and implement strong credential management practices.