"Microsoft Has Issued Warning About Brute-Force Attacks on MSSQL Servers"

Microsoft has issued a warning about brute-force attacks on Internet-exposed and inadequately protected Microsoft SQL Server (MSSQL) database servers using weak passwords. Although this is not the first time MSSQL servers have been attacked, Redmond claims that the threat actors are using the genuine sqlps.exe program as a LOLBin (living-off-the-land binary). The Microsoft Security Intelligence team said that the attackers achieve fileless persistence by spawning the sqlps.exe utility, which is a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and alter the start mode of the SQL service to LocalSystem. The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, giving them complete control of the SQL server. Then they gain the ability to perform other actions like deploying payloads such as coin miners. The sqlps utility, included with Microsoft SQL Server, enables loading SQL Server cmdlets as a LOLBin. Using sqlps, attackers can run PowerShell commands without worrying about defenders noticing their actions. Since sqlps is an effective way to avoid Script Block Logging, a PowerShell feature that would otherwise report cmdlet activities to the Windows event log, it also ensures that the threat actors leave no traces for the investigation of their attacks. This article continues to discuss Microsoft's warning pertaining to brute-force attacks on MSSQL servers. 

CyberIntelMag reports "Microsoft Has Issued Warning About Brute-Force Attacks on MSSQL Servers"