Malware attacks using Microsoft SQL (MSSQL) Server as an intrusion vector have risen sharply in the last six months, as experts report hackers moving away from blocked methods.
Researchers at cyber security firm ESET revealed the absolute count of MSSQL attacks increased by 84% between H2 2022 and H1 2023.
The rise in attacks utilizing the vector was linked to Microsoft’s landmark move to block Virtual Basic for Applications (VBA) macros in Office documents by default last year.
Cyber security professionals had been calling for stricter default controls for VBA macros for years before Microsoft finally implemented the changes.
Exploiting VBA macros in Office documents was historically one of the most popular methods of embedding malware in seemingly innocuous files which were downloaded as part of phishing campaigns.
Shortly after this avenue of attack was blocked off, researchers recorded a clear rise in the number of attacks using OneNote as a vector instead.
Cyber criminals behind malware such as Emotet exploited .one files to trick users into running malicious scripts, moving on from their own abuse of VBA macros.
In its report, ESET said Microsoft’s blocking of VBA macros and its efforts to shore up the security of OneNote means that “cyber criminals may be looking at MSSQL and other intrusion vectors more closely” for the future.
MSSQL is a widely-used solution for regional database management, and when exposed to the internet can be a tempting target for hackers.
RELATED RESOURCE
The board's evolving perceptions of cyber risk
78 global CISOs share their advice on how to communicate cyber risk as business risk to C-suite peers and their board.
Internet-accessible MSSQL servers can be accessed via port 1433, which leaves the door open for ‘brute force’ password-guessing attempts by threat actors.
ESET noted that firms with weak passwords or improperly-managed servers are at particular risk, and cited an AhnLab report from April which examined a case of ransomware installed on MSSQL servers as a result of easily-guessed credentials.
In all, telemetry data showed 1.7 billion failed password-guessing attempts against MSSQL between December 2022 and May 2023.
Even as threat actors have increased attacks against MSSQL, researchers noted reduced brute-force attempts on other commonly-used attack vectors.
Attacks on Remote Desktop Protocol (RDP), which allows users to view and control desktops remotely and has been exploited for malware such as RDStealer, fell 22% from 17.9 billion to 15.8 billion across the period.
Brute-force attacks are among the top password-cracking techniques hackers use, and rely on businesses to employ poor strategies around their credentials such as allowing employees to re-use passwords or not enforcing complexity controls.
“With the rise of brute-force attacks against MSSQL, database admins should be reminded of the security benefits of Windows Authentication mode over mixed mode when setting up the database engine,” said Ladislav Janko, senior detection engineer at ESET.
“In Windows Authentication mode, SQL Server Authentication is disabled, compelling database users to connect through their Windows user account, which can be protected with an account lockout policy that effectively stops brute force attacks from progressing.
“If you can’t avoid using mixed mode, make sure passwords are strong and put the database behind a firewall or VPN, if possible.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
Number of attacks using Microsoft Office files surges in 2023News Attacks using popular Microsoft Office file types have increased in 2023
-
Microsoft Security Copilot to offer raft of “new capabilities” for 365 DefenderNews Microsoft Security Copilot will give 365 Defender users real-time malware tracking and automated incident summaries
