UPDATED 23:46 EDT / APRIL 01 2020

SECURITY

Microsoft SQL servers targeted in newly discovered ‘Vollgar’ hacking campaign

A newly reported hacking campaign that’s believed to date back to 2018 is targeting Microsoft-SQL servers with data-stealing malware and Monero cryptomining code.

Discovered and publicized Wednesday by security researchers at Guardicore Labs, the hacking campaign, dubbed “Vollgar,” involves hackers using brute force password hacking to breach targeted MS-SQL hosts. Once access is gained, those behind the hacking campaign install multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools and cryptominers.

Infected MS-SQL servers are said to be in the thousands daily with victims across various industry sectors, including healthcare, aviation, information technology and telecommunications, and higher education.

The majority of infection periods for targeted machines — 60% — were found to be only for a short period, indicating that post being hacked that there is some level of security response. However, the researchers noted that almost 20% of breached servers reaming infected for more than a week and in some cases longer than two weeks.

“This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and endpoint detection and response products,” the researchers said. “Alternatively, it is very likely that those do not exist on servers in the first place.”

Despite detection rates, 10% of victims were found to be reinfected by Vollgar after removing the malware. It’s believed that the reinfection rate is indicative of malware being removed without any in-depth investigation into the root cause of the infection.

The researchers traced back 120 IP addresses used by the hackers and the vast majority were hosted in China. The researchers note that these were most likely compromised machines repurposed to scan and infect new victims. The main command-and-control service used by those behind Vollgar was also found to be hosted in China.

“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold,” the researchers concluded. “These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force [attack].”

Photo: Pxhere

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU