Malware Trio Attacking SQL Servers

A new trio of malware with remote access trojan (RAT), cryptocurrency mining, information-stealing, backdoor and botnet capabilities has been observed targeting Microsoft SQL and MySQL servers. Attacks have been seen mainly in China on Amazon Web Services (AWS) and Azure IP ranges.

Threat ID:: CC-1885
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 29 December 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft SQL Server

SQL Servers (Microsoft & Linux)

Threat details

Attacks have been seen mainly in China on Amazon Web Services (AWS) and Azure IP ranges.

Hex, Hanako and Taylor all perform different functions but are deployed together to maximise their impact. Hex uses file servers to install keyloggers and cryptocurrency miners as well as capture software for file images.

Hanako attempts to create a backdoor on the system before enrolling it in a botnet for use in performing distributed denial-of-service (DDoS) attacks. The nature of of the enrolled devices would mean any DDoS attacks would be quite severe.

Taylor also creates a backdoor but is used to maintain persistence on a system; terminating processes and deleting antivirus software before downloading a keylogger. This keylogger is hidden within an image of the singer Taylor Swift, hence it's name.

Compromised systems are then used to deploy the variants and are able to scan for potential devices using a number of services, including HTTP and ElasticSearch, alongside SQL services. Once identified, attackers will attempt to brute-force the new devices before a series of SQL commands are executed to escalate their privileges

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	Ensure SQL Servers aren't unnecessarily or unintentionally exposed directly to the internet. If SQL Servers are required to be exposed to the internet ensure servers are appropriately hardened. Links to guides on SQL hardening MySQL and Microsoft SQL Server. A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer.

Type

Step

Ensure SQL Servers aren't unnecessarily or unintentionally exposed directly to the internet.
If SQL Servers are required to be exposed to the internet ensure servers are appropriately hardened. Links to guides on SQL hardening MySQL and Microsoft SQL Server.
A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer.

Last edited: 17 February 2020 11:34 am