Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Multiple NVIDIA GPU Display Driver for Windows and Linux Vulnerabilities
May 19, 2022Rewterz Threat Advisory – Multiple Cisco Common Services Platform Collector (CSPC) Software Vulnerabilities
May 19, 2022
Severity
High
Analysis Summary
Recently, Microsoft has issued a warning on a new hacking campaign targeting MSSQL servers, in which threat actors are initiating brute-force attacks against vulnerable instances. The attacks employ the legitimate tool sqlps.exe, a SQL Server PowerShell program, as a LOLBin (short for living-off-the-land binary).
In a series of tweets, Microsoft warned about the attacks:
The attackers accomplish fileless persistence by using the sqlps.exe tool, which is a PowerShell wrapper for running SQL-built cmdlets, to perform recon commands and change the SQL service’s start mode to LocalSystem. The attackers also utilize sqlps.exe to establish a new account and assign it to the sysadmin role, giving them complete access over the SQL server. They then gain the authority to perform other operations, such as deploying payloads like coin miners.
Using sqlps, a utility available with Microsoft SQL Server that allows the loading of SQL Server cmdlets as a LOLBin, allows attackers to run PowerShell commands without fear of defenders detecting their nefarious activity. It also ensures that they leave no traces while analyzing their attacks because sqlps is an excellent approach to bypass Script Block Logging, a PowerShell functionality that would normally report cmdlet activities to the Windows event log.
MSSQL servers have been targeted for years as part of massive campaigns in which threat actors seek to take control of thousands of vulnerable servers every day for various purposes. Therefore, administrators should not expose their MSSQL servers to the Internet, use a strong admin password that cannot be guessed or brute-forced, and put the server behind a firewall to protect it from such attacks.
Impact
- Information Theft
- Exfiltration Of Data
Remediation
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Apply the latest security updates to decrease the attack surface and block attacks leveraging exploits that target known vulnerabilities