In the latest, the IT security researchers at Guadricore have revealed that a botnet called “Vollgar” has been attacking Microsoft SQL (MSSQL) databases from 120+ IP addresses with the majority of them originating from China – The attack has been going on since May 2018.
Done through brute-forcing techniques; the malware aims to mine cryptocurrencies using these databases once it has succeeded in gaining control. Currently, the cryptocurrencies being mined are the V-Dimension (Vollar) and Monero, the latter being a very popular choice in this space due to its widely known anonymity features.
Elaborating further on the statistics, 61% of machines remained infected for only 2 days or less, 21.8% for more than 7-14 days with 17.1% of them being affected repeatedly. The lattermost case may happen because of a lack of security measures in place which would fail to eradicate the malware completely the first time it infected the server.
Countries most infected include China, India, the US, South Korea, and Turkey.
As a result of these attacks, critical information can be stolen as detailed by the researchers who state:
What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold. These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force.
Nonetheless, to aid those infected, Guardicore has put up a Github repository with a range of attributes for identifying the malware comprising of:
1 – Names of binary files and script dropped as part of the attack
2- Connect-back servers’ domains and IP addresses
3- Names of scheduled tasks and services set by the attacker
4- Backdoor credentials created by the attacker
5- A Powershell script made by Guardicore to detect residues of the Vollgar campaign on a Windows machine
Instructions are also available on running the script in conjunction with actions to be taken if Vollgar is detected. A few of these have been also cited in the report along the lines of the need to,
Immediately quarantine the infected machine and prevent it from accessing other assets in the network. It is also important to change all your MS-SQL user account passwords to strong passwords, to avoid being reinfected by this or other brute force attacks.
Concerning, the resources that made these attacks possible in the first place, they boil down to the use of malicious hosting companies and freely available domain names. For example, the domain name used by Vollgar belongs to the .ga top-level domain (TLD) which is available for free registration and hence can be easily abused.
On the other hand, various ranges of the autonomous system number (ASN) used by the botnet’s C2 servers are shared by a hosting company called CloudInnovation Infrastructure which is, in essence, a shell company owning malicious domains. This alone sheds light on the harmful network which the botnet utilizes.
Concluding, certain pre-emptive measures can also be taken to secure one’s database. These include not making these databases internet-facing which will limit outside access, implementing complex access based control mechanisms that involve whitelisting only those IP addresses that need to contact the specific server and limiting the number of failed login attempts to prevent brute-forcing.