Microsoft warned that a malicious campaign targeting SQL Servers is using an “uncommon living-off-the-land binary” that to achieve persistence on compromised systems — saying that defenders need to pay increased attention to abuse of the sqlps.exe which ships with SQL Server as standard.
Without naming the attackers or providing other detail, Microsoft Security Intelligence said that they were using brute force attacks for initial compromise, but then weaponising the legitimate binary to take full control of the SQL Server in a fileless attack less likely to be flagged by antivirus software.
The utility lets a SQL Agent run jobs using the PowerShell subsystem and ships on all versions of SQL Server, the world’s third most widely used database management system. (Chinese hackers appear to have been sharing techniques for abusing sqlps.exe since March on a number of forums.)
“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem. The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners. The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code,” Microsoft said.
The security team recommended in a series of Tweets on May 18 that those potentially affected make use of Antimalware Scan Interface (AMSI), Microsoft’s endpoint protection standard.
This vendor-agnostic interface lets users integrate “common malware scanning and protection techniques provided by today’s antimalware products” into applications. It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.
Users can, of course, minimise the risk of bruteforcing by mandating minimum password complexity requirements and strictly enforcing multi-factor authentication (MFA).