As a new report from Kaspersky has warned, cybercriminals seeking access to corporate infrastructure are increasingly turning to Microsoft SQL Server as their preferred entry point.
Her research showed that attacks using Microsoft SQL Server more than halved (56%) in September 2022 compared to the same period last year, as the number of attacked servers increased to over 3,000 endpoints in that month alone.
With the exception of July and August, the number of such attacks has steadily increased over the past year and has remained above 3,000 since April 2022.
Poor defense
“Despite the popularity of Microsoft SQL Server, companies may not prioritize protection against threats related to this software. Attacks using malicious SQL Server tasks have been known for a long time, but they are still used by perpetrators to gain access to company infrastructure,” said Sergey Soldatov, Head of Security Operations Center, Kaspersky.
There have been a number of incidents in recent times where Microsoft SQL servers have been abused by cybercriminals, with the last one just over a month ago. In late September 2022, cybersecurity researchers from the AhnLab Security Emergency Response Center reported on an ongoing campaign to distribute FARGO ransomware to MS-SQL servers. In this incident, the attackers chose insecure endpoints (opens in a new tab)or those protected by weak and easily cracked passwords.
On the other hand, in April, cybercriminals were observed to install Cobalt Strike beacons on such devices. Messages about attacks on MS-SQL also appeared in May, June and October this year.
In most cases, cybercriminals scan the Internet for endpoints with TCP port 1433 open and then brute-force them until they guess the password.