Microsoft SQL Server attacks rise by 56% in 2022

Cybersecurity company Kaspersky says rising attacks by cybercriminals on Microsoft SQL servers mean users should take a managed detection response.

Attacks using Microsoft SQL Servers increased by 56% in September 2022 compared to the same period last year. Perpetrators are still using a common attack employing SQL Server to attempt to gain access to corporate infrastructures. The technical details of one of these incidents were analyzed in Kaspersky’s new Managed Detection and Response report.

Microsoft SQL Servers are used worldwide by corporations, medium and small businesses for database management. In September 2022 Kaspersky researchers found the number of SQL servers hit amounted to more than 3,000 units, growing by 56% compared to the same period last year. These attacks were successfully detected by Kaspersky Endpoint Security for Business and Managed Detection and Response. 

The number of these attacks have been increasing gradually over the past year and have stayed above 3000 since April 2022, except for a slight decrease in July and August.

Sergey Soldatov, Head of Security Operations Center at Kaspersky says: "Despite Microsoft SQL Server’s popularity, companies may not be giving sufficient priority to protect against threats associated with the software. Attacks using malicious SQL Server jobs have been known for a long time, but it is still used by perpetrators to gain access to a company’s infrastructure."

A peculiar incident: PowerShell scripts and .PNG files

In the new report, devoted to the most interesting Managed Detection and Response incidents, Kaspersky experts describe is an attack employing Microsoft SQL Server jobs – a sequence of commands executed by the server agent.

“Attackers attempted to modify the server configuration to gain access to the shell to run malware via PowerShell. The compromised SQL Server was trying to run malicious PowerShell scripts that generated a connection to external IP addresses. This PowerShell script runs the malware disguised as .png files from that external IP address using the "MsiMake" attribute, which is very similar to the behavior of PurpleFox malware”, explained Soldatov.

To protect against threats targeting businesses, Kaspersky researchers recommend implementing the following measures:

  • Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities. Install patches for new vulnerabilities as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
  • Choose a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.
  • Dedicated services can help combat high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop intrusions in their early stages, before the perpetrators achieve their goals.  If you encounter an incident, Kaspersky Incident Response service will help you respond and minimize the consequences, in particular - identify compromised nodes and protect the infrastructure from similar attacks in the future.

Featured Articles

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

Technology & AI

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI