Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary).
Microsoft warned of the attacks in a series of tweets, it doesn’t attribute them to a specific threat actor.
The sqlps.exe utility is described by Microsoft as a PowerShell wrapper for running SQL-built cmdlets.
Threat actors also use sqlps.exe to create a new account that they add to the sysadmin role, allowing them to take full control of the SQL server instance. Then the attackers are able to perform other malicious actions, such as deploying malware.
The attack is fileless and do not leave traces on the targeted systems bypassing antimalware solutions.
Experts pointed out that the use of the sqlps tool allows to bypass Script Blocmdletck Logging, used to record the content of all script blocks that it processes.
Experts recommend to not expose MSSQL servers online, secure them with string admin credentials, apply the latest security updates, enable logging to monitor for potentially attack patters.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, MSSQL servers)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…
Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…
Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…
This website uses cookies.
