Botnet Targets Devices Running Microsoft SQL Server: ReportResearchers Say 'Vollgar' Botnet Installs Cryptominers
Researchers at security firm Guardicore Labs are tracking a botnet they call Vollgar that's targeting devices running vulnerable Microsoft SQL Server databases with brute-force attacks and planting cryptominers in the infected databases.
See Also: Role of Deception in the 'New Normal'
The Vollgar botnet has been active since at least May 2018, the researchers say. Its operators use a combination of remote access tools and brute-force methods to infect vulnerable Microsoft SQL Server databases with malware, according to their new report. This botnet can infected up to 3,000 SQL Server databases each day.
Guardicore researchers found the botnet usually infects vulnerable databases with malware used to mine two cryptocurrencies - vollar and monero (see: Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners).
The #Vollgar attack campaign has been operating under the radar for ~2 years, brute forcing MS-SQL servers on the internet. With 2-3k servers infected daily, the attacker deploys powerful RATs and mines two cryptocurrencies. More in @Guardicore Labs blog: https://t.co/ZkmIAYPBy2— Ophir Harpaz (@OphirHarpaz) April 1, 2020
The Vollgar botnet has targeted organizations in several sectors, including healthcare, aviation, IT, telecommunications and higher education, over the last two years, says Ophir Harpaz, a cybersecurity researcher at Guardicore Labs. Attacks have occurred in the U.S., China, India, South Korea and Turkey, he adds.
And while the botnet's activity peaked in December 2019, it remains active. When the botnet is removed from a SQL Server database, its operators find new databases to infect due to the large-scale brute-force attack methods used to guess usernames and passwords, Harpaz says.
In addition to seeking out the valuable CPU power that the devices running Microsoft SQL Server databases offer, Harpaz believes the operators of Vollgar are seeking valuable content in databases, such as usernames, passwords and credit card numbers.
"A botnet like Vollgar can be very profitable," Harpaz tells Information Security Media Group. "First of all, it targets [Microsoft] SQL database servers, which may hold valuable data that other attack groups are interested in. In addition, access to data center networks can be worth a lot, depending on the victim's network and domain."
In their report, the Guardicore researchers note that after the Vollgar botnet has infected a Microsoft SQL Server database through a brute-force attack, it attempts to install backdoors within the database. The report also notes that these backdoors are used to plant the cryptominers as well as install remote access tools.
These malicious tools then give the botnet operators full control of the server, which then allows them to exfiltrate data, run an interactive terminal and install malicious Windows services as well as key-logging and other functions, the report notes.
These botnet infections, however, are short-lived. In about 60 percent of the cases, the attack only lasts for about two days, according to the report. But some attacks can last one to two weeks, which could mean Vollgar disguises itself to hide from anti-virus software or the database owner does not have proper security features in place, the report notes.
In about 10 percent cases, Guardicore observed, Vollgar managed to re-infect a SQL Server database after it has been removed.
The botnet also attempts to eliminate other competing malware from infected servers, the researchers determined.
"There is a vast number of attacks targeting MS-SQL Servers. However, there are only about half-a-million machines running this database service," Harpaz says. "This relatively small number of potential victims triggers an inter-group competition over control and resources; these virtual fights can be seen in many of the recent mass-scale attacks."
Origins in China?
While it's not clear where the operators of Vollgar reside, the Guardicore report notes that these attacks originate from more than 120 IP addresses, the majority of which are located in China.
Vollgar's main command-and-control server is located in a SQL database housed in China, the researchers say. This server has also been infected with backdoors and other malware from other attacks groups. "Nevertheless, the machine was 'business as usual,' running the database service as well as benign background processes," according to the report.
Guardicore created a GitHub repository to help database administrators determine if their Microsoft SQL Server databases have been infected with Vollgar.