Hackers Targeting Microsoft’s MS SQL Servers Extensively – New Study

The rapid rise of digital and technological advances brought several innovative improvements.

Still, besides this, the security of databases has also become extremely important, as with digital advancements, security threats are also growing rapidly.

A honeypot can be a practical resource for identifying and examining possible risks.

Trustwave has strategically deployed a network of honeypots across different countries worldwide to understand global attacks better.

Sensor Locations & Databases

According to the report shared with Cyber Security News, Trustwave placed honeypot servers as sensors in major regions worldwide at the beginning of December 2022.

But, apart from this, the security analysts mainly focused on the tense situation associated with Central Europe.

Here below, we have mentioned all the major regions:-

• Russia
• Ukraine
• Poland
• UK
• China
• The United States

Here the cybersecurity researchers opted for nine popular database systems, and here they are mentioned below:-

• MS SQL Server (MSSQL)
• MySQL
• Redis
• MongoDB
• PostgreSQL
• Oracle DB
• IBM DB2 (Unix/Win)
• Cassandra
• Couchbase

The ‘database servers’ used the default TCP ports to listen for incoming connections.

It seems that MSSQL has exhibited significantly higher activity levels when compared to other databases.

The difference is significant, with a majority exceeding 93%, making it challenging at times to compare it to other DBMSs.

The hidden values within MySQL reveal the complete tally of login attempts, covering MariaDB, Percona for MySQL, and other DBMS versions that follow the MySQL standard protocol.

MS SQL Extensively Targeted

To prevent overlap, the experts deployed two sensors in each country, carefully selecting country-range IP addresses that were as far apart as possible from the first sensor.

The sensors experience a high frequency and varying intensity of attacks, which fluctuate over time.

A remarkable component was the significant variation in attack occurrence among the sensors.

A few weeks before December 06, 2022, all the sensors were in place and functioning smoothly.

Redis, unexpectedly, turned out to be the second most targeted database following MySQL in terms of attacks.

However, the intensity of the attacks targeting MSSQL instances was extremely high.

Moreover, the total number of MySQL instances that can be accessed has reached over 3.6 million.

This project aimed to validate the occurrence of botnet activity during MySQL attacks as one of its goals.

However, MySQL remains one of the most luring targets for the threat actors. In contrast to MSSQL and the ‘sa’ (username for the main tested account) account, MySQL presents a different scenario.

The level of intensity in the attacks varied across different databases. Unlike Oracle or IBM DB2, most unauthorized access attempts were experienced by MSSQL and MySQL.

Recommendations

Here below, we have mentioned all the provided recommendations:-

• Make sure to use strong and unique passwords.
• Always opt for unusual usernames.
• Make sure to use a strong and secure authentication method.
• The default accounts must be disabled.
• Always keep enabling the MFA mechanism. 
• Make sure to monitor who is trying to access the system and other activities.
• Limit elevated privileges for other users,
• Make sure to keep the system and software updated.
• Always conduct security audits frequently.

Source: https://cybersecuritynews.com/hackers-targeting-ms-sql-servers/