As threat actors try to access corporate infrastructure, they are increasingly turning to Microsoft SQL Server as their entry point, a new report from Kaspersky warns.
Research claims attacks involving Microsoft SQL Server increased by more than half (56%) in September 2022 compared to the same period last year, as the number of compromised servers grew to more than 3,000 endpoints in that month alone.
With the exception of July and August, the number of such attacks has gradually increased over the past year, Kaspersky added, and has remained above 3,000 since April 2022.
“Despite the popularity of Microsoft SQL Server, companies may not give sufficient priority to protecting against threats associated with the software. Attacks involving malicious SQL Server jobs have been known for a long time, but they are still used by perpetrators to gain access to a company’s infrastructure,” said Sergey Soldatov, head of the Security Operations Center at Kaspersky.
There have been multiple recent incidents of Microsoft SQL Servers being misused by threat actors, with the last one just over a month ago. In late September 2022, cybersecurity researchers at the AhnLab Security Emergency Response Center reported an ongoing campaign distributing the FARGO ransomware to MS-SQL servers. In this incident, the attackers went looking for unprotected endpoints (opens in new tab)or that are guarded by weak and easily cracked passwords.
In contrast, in April, threat actors were observed installing Cobalt Strike beacons on such devices. The news of attacks on MS-SQL has also appeared in May, June and October of this year.
In most cases, threat actors would scan the Internet for endpoints with an open TCP port 1433, then launch brute-force attacks against them until they guess the password.