Cyber Security Threat Summary:
Malware attacks using Microsoft SQL (MSSQL) Server as an intrusion vector have risen sharply in the last six months, as experts report hackers moving away from blocked methods. Researchers at cyber security firm ESET revealed the absolute count of MSSQL attacks increased by 84% between H2 2022 and H1 2023.

The rise in attacks utilizing the vector was linked to Microsoft’s landmark move to block Virtual Basic for Applications (VBA) macros in Office documents by default last year. Cyber security professionals had been calling for stricter default controls for VBA macros for years before Microsoft finally implemented the changes. Exploiting VBA macros in Office documents was historically one of the most popular methods of embedding malware in seemingly innocuous files which were downloaded as part of phishing campaigns.

Shortly after this avenue of attack was blocked off, researchers recorded a clear rise in the number of attacks using OneNote as a vector instead. Cyber criminals behind malware such as Emotet exploited .one files to trick users into running malicious scripts, moving on from their own abuse of VBA macros” (ITPro, 2023).

Security Officer Comments:
Internet-accessible MSSQL servers can be accessed via port 1433, which leaves the door open for ‘brute force’ password-guessing attempts by threat actors. ESET noted that firms with weak passwords or improperly-managed servers are at particular risk, and cited an AhnLab report from April which examined a case of ransomware installed on MSSQL servers as a result of easily-guessed credentials. In all, telemetry data showed 1.7 billion failed password-guessing attempts against MSSQL between December 2022 and May 2023. Even as threat actors have increased attacks against MSSQL, researchers noted reduced brute-force attempts on other commonly-used attack vectors. Attacks on Remote Desktop Protocol (RDP), which allows users to view and control desktops remotely and has been exploited for malware such as RDStealer, fell 22% from 17.9 billion to 15.8 billion across the period.

Suggested Correction(s):
The rise of brute-force attacks against MSSQL has reminded database admins of the security benefits of Windows Authentication mode over mixed mode. In Windows Authentication mode, SQL Server Authentication is disabled, which means that database users must connect through their Windows user account. This can be protected with an account lockout policy, which effectively stops brute force attacks from progressing. If mixed mode must be used, strong passwords should be used and the database should be put behind a firewall or VPN, if possible.

Link(s):
https://www.itpro.com/security/