Microsoft Warns of Fileless Attacks on SQL Servers

The Microsoft Security Intelligence team issued warnings of brute force attacks targeting SQL servers through the company’s built-in sqlps.exe utility, a default SQL tool that comes with all SQL versions. Through a series of tweets, Microsoft explained how attackers achieved fileless malware “to run RECON commands and change the start mode of the SQL service to Local System.” Attackers have also used the sqlps.exe utility to take full control of the SQL server by creating a new account that is then added to the sysadmin role, authorizing them to take direct control of the SQL server. By doing so, they were able to perform other actions such as deploying payloads like coin miners.

Fileless attacks are tricky to detect, and the identity of the Microsoft attackers is still unknown. The common wisdom on how to shield yourself against malicious attacks still holds; be wary of all emails, even those coming from within your organization. Below is a reminder list of Microsoft’s top security precautions.

Email Attachments

This basic recommendation is still one of the most overlooked, perhaps because most of us have limited mental imagery of what malicious emails might look like. In a recent attack, a malicious email was disguised as a support ticket containing a link, which tricked a Customer Support staff member to forward the email to a fellow employee, which clicked and opened the link. In this scenario, the final recipient had a false sense of security since the sender is a trustworthy member of the organization. This is one of the many ways an email can trick even the savviest among us.

An easier-to-spot malicious email may include a variety of red flags such as broken grammar and spelling or contain unfamiliar domain names. This isn’t to say that all emails that seem to be coming from legitimate senders are all safe. Most are not, even when they include legitimate signatures. If you know you have sensitive data in your environment, treat every email as a possible attack, until verified otherwise.

Malicious Office Macros

Microsoft Office includes a scripting language that allows you to create advanced tools to increase productivity. Unfortunately, attackers can exploit this feature to unleash malware upon you. If a security warning pops up, DO NOT enable it unless you know exactly where it came from.

Attachment to other software

Another basic security concept worth a reminder is to verify the source of the software you download from third-party websites. The same rules apply to file-sharing. You can avoid installing malware or potentially unwanted software this way by making sure to only download software from trustworthy websites and to read exactly what you are installing.