Malware attacks using Microsoft SQL (MSSQL) Server as an intrusion vector have risen sharply in the last six months, as experts report hackers moving away from blocked methods.
Researchers at cyber security firm ESET revealed the absolute count of MSSQL attacks increased by 84% between H2 2022 and H1 2023.
The rise in attacks utilizing the vector was linked to Microsoft’s landmark move to block Virtual Basic for Applications (VBA) macros in Office documents by default last year.
Cyber security professionals had been calling for stricter default controls for VBA macros for years before Microsoft finally implemented the changes.
Exploiting VBA macros in Office documents was historically one of the most popular methods of embedding malware in seemingly innocuous files which were downloaded as part of phishing campaigns.
Shortly after this avenue of attack was blocked off, researchers recorded a clear rise in the number of attacks using OneNote as a vector instead.
Cyber criminals behind malware such as Emotet exploited .one files to trick users into running malicious scripts, moving on from their own abuse of VBA macros.
In its report, ESET said Microsoft’s blocking of VBA macros and its efforts to shore up the security of OneNote means that “cyber criminals may be looking at MSSQL and other intrusion vectors more closely” for the future.
MSSQL is a widely-used solution for regional database management, and when exposed to the internet can be a tempting target for hackers.
The board's evolving perceptions of cyber risk
78 global CISOs share their advice on how to communicate cyber risk as business risk to C-suite peers and their board.
Internet-accessible MSSQL servers can be accessed via port 1433, which leaves the door open for ‘brute force’ password-guessing attempts by threat actors.
ESET noted that firms with weak passwords or improperly-managed servers are at particular risk, and cited an AhnLab report from April which examined a case of ransomware installed on MSSQL servers as a result of easily-guessed credentials.
In all, telemetry data showed 1.7 billion failed password-guessing attempts against MSSQL between December 2022 and May 2023.
Even as threat actors have increased attacks against MSSQL, researchers noted reduced brute-force attempts on other commonly-used attack vectors.
Attacks on Remote Desktop Protocol (RDP), which allows users to view and control desktops remotely and has been exploited for malware such as RDStealer, fell 22% from 17.9 billion to 15.8 billion across the period.
Brute-force attacks are among the top password-cracking techniques hackers use, and rely on businesses to employ poor strategies around their credentials such as allowing employees to re-use passwords or not enforcing complexity controls.
“With the rise of brute-force attacks against MSSQL, database admins should be reminded of the security benefits of Windows Authentication mode over mixed mode when setting up the database engine,” said Ladislav Janko, senior detection engineer at ESET.
“In Windows Authentication mode, SQL Server Authentication is disabled, compelling database users to connect through their Windows user account, which can be protected with an account lockout policy that effectively stops brute force attacks from progressing.
“If you can’t avoid using mixed mode, make sure passwords are strong and put the database behind a firewall or VPN, if possible.”
