According to a Tencent report, hackers used MrbMiner malware to hack into several Microsoft SQL Servers (MSSQL) with lackluster security measures. As per the report from earlier this month, hackers mostly targeted databases with weak passwords and installs a coin miner.
Hackers target several Microsoft SQL Servers
The cybersecurity arm of Chinese technology firm Tencent recently came across a crypto-mining malware family called MrbMiner, which allows hackers to hack into Microsoft SQL Servers with weak passwords by means of brute-forcing. It then installs a coin miner to carry unauthorized cryptocurrency mining-related activities.
Hackers somehow get into these ‘weak’ systems by extracting a ZIP file containing the malware in question. MrbMiner malware can be persistent. The reason being, hackers install two additional downloaders – installerservice.exe and PowerShellInstaller.exe.
These downloaders make sure is operated persistently as a system service. Furthermore, it collects crucial system information such as CPU model, CPU number, .NET version information, etc. What’s more, it also causes Windows upgrade services to shut down and retains complete control of the system.
Making matter worse, the malware can also hide. As a result, it can be extremely difficult for IT administrators and security teams to discover suspicious activities that may be taking place on database servers.
“Hackers perform shellcode downloads assm.exe to the server location and launches assm.exe by bulk scanning and blasting the SQL Server service. Assm.exe is written in C#, which kills the existing mining process and deletes the file first after execution,” Tencent said in its blog post.
As per security experts, the MrbMiner malware could be capable of cross-platform attacks. According to experts, MrbMiner’s FTP server also consists of mining trojan files based on Linux and ARM systems. Researchers say the MrbMiner mining trojan has taken control of thousands of server networks.
In related news, a data center company Equinix recently reported a ransomware incident in which attackers reportedly demanded $4.5 million ransom to be paid. Equinix said the attack has had np impact on the data center operations of most of its customers.