Posted on May 19, 2022
Brute-force attacks targeting MSSQL servers, Microsoft warns
458
8
2
6
6
0
The Redmond software giant has issued a warning explaining how databases with weak passwords might get compromised:
"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
Brute-force attacks targeting MSSQL servers, Microsoft warns
Posted from techradar.com
Redmond
Microsoft
Cyber
Cybersecurity
Posted 2 y ago
Responses: 2
1
1
0
PO1 William "Chip" Nagel
...""The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners."
Using SQLPS, a utility included with the Microsoft SQL Server installation that allows loading SQL Server PowerShell cmdlets, as a LOLBin, enables the attackers to execute PowerShell commands without worrying about defenders detecting their malicious actions.
It also helps ensure that they don't leave any traces to be found while analyzing their attacks since using SQLPS is an effective way to bypass Script Block Logging, a PowerShell capability that would otherwise log cmdlet operations to the Windows event log."...
...""The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
"The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners."
Using SQLPS, a utility included with the Microsoft SQL Server installation that allows loading SQL Server PowerShell cmdlets, as a LOLBin, enables the attackers to execute PowerShell commands without worrying about defenders detecting their malicious actions.
It also helps ensure that they don't leave any traces to be found while analyzing their attacks since using SQLPS is an effective way to bypass Script Block Logging, a PowerShell capability that would otherwise log cmdlet operations to the Windows event log."...
(1)
(0)
1
1
0
Why people put databases directly on the internet still baffles me. Databases should be at the innermost point of your layered defense. We suck at cybersecurity because people are too lazy or cheap to do things correctly, not because of any technical reasons.
(1)
(0)
Read This Next
Continue with Facebook 
Continue with Google