Microsoft has made a warning regarding the ongoing brute-force attacks targeting Microsoft SQL Server databases. Currently, the threat actors behind this campaign are unknown. But they are constantly looking for databases that have weak passwords to break in.
Fileless persistency through legitimate tools
To achieve persistency, the attackers utilize the sqlps.exe utility that provides a fileless persistency. It is a PowerShell wrapper for running SQL-built cmdlets; running recon commands and changing the starting mode of the SQL service to LocalSystem. Attackers also use the same utility to create a new account in the sysadmin role, which leads up to taking full control of the SQL server.
The sqlps.exe is a tool that comes with the Microsoft SQL Server. It is not a direct “hacking” tool, instead, is a part of MSSQL for loading cmdlets. Since the attackers utilize this tool as a LOLBin (Living Off Land Binary), attackers can run their commands without being detected. The tool does not leave any tracers as well; because it bypasses Script Block Logging too.
Security researchers advise not to expose databases to the internet. If the database needs to be online, setting the passwords in a very strong way will do the trick.