EDGE MALWAREBYTES BROWSER GUARD PASSWORD
Although there are seemingly far fewer internet-exposed computers running MSSQL than RDP, a server running MSSQL is likely to be a far higher value target than a desktop running RDP.Īnything connected to the internet should expect to be the subject of relentless password guessing, and these are no exception. A simple search on Shodan found almost 90,000 potential targets. The first database I looked up was MSSQL, the target in the attack spotted by Securonix. Where data needs to be accessed from the internet it should be made available via an application or API.Īlthough the situation is much improved now, historically some databases made the situation worse by shipping with default passwords, or even no authentication at all.Īs I mentioned before, one of the things that attracts attackers to RDP is the large number of available targets, so I wondered how many databases I could find via Shodan, the search engine that finds internet-connected computers.įor comparison, every time I've looked in the last five years or so, there have been around two or three million computers running RDP accessible via Shodan, meaning that attackers have two to three million targets to choose from. Typically, databases contain sensitive information that should be at the centre of your network and not the periphery, and that should only be accessbile to internal systems. The attack is a timely reminder of an old security adage, one that's at least as old as the 25 years or so I've been messing around with databases: Never expose your databases to the internet.
Securonix provide a detailed breakdown of the precise steps taken by the attackers, and its article is well worth reading. From there they explored the network the server was running on, before ultimately running FreeWorld ransomware.
EDGE MALWAREBYTES BROWSER GUARD SOFTWARE
When that failed, they used AnyDesk remote access software instead. The attackers used this ability to run commands on the host machine to try to give themselves RDP access. This function allows for command execution and should normally not be enabled unless required. Next, discovering that the MSSQL function xp_cmdshell stored procedure was enabled, the attackers began running shell commands on the host. In an attack described by Securonix, attackers brute forced a MSSQL password and then used the database's xp_cmdshell feature to run commands on the host machine the database was running on. They like RDP because it gives them exactly the same access as sitting at a chair in front of the computer, and because there are millions of targets to choose from.īut other systems can be abused to gain entry in a similar way, and the Securonix Threat Research team reports that it has spotted attackers targeting exposed Microsoft SQL (MSSQL) services using brute force attacks. Cybercriminals seek out machines with RDP exposed to the internet and attempt to guess their passwords, hoping to gain entry. Microsoft's Remote Desktop Protocol has been a favourite point of entry for ransomware gangs for several years now. When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.
0 kommentar(er)
