Microsoft warns of attacks targeting MSSQL servers using the tool sqlps

Pierluigi Paganini May 18, 2022

Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online.

Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary).

Microsoft warned of the attacks in a series of tweets, it doesn’t attribute them to a specific threat actor.

The sqlps.exe utility is described by Microsoft as a PowerShell wrapper for running SQL-built cmdlets.

Threat actors also use sqlps.exe to create a new account that they add to the sysadmin role, allowing them to take full control of the SQL server instance. Then the attackers are able to perform other malicious actions, such as deploying malware.

The attack is fileless and do not leave traces on the targeted systems bypassing antimalware solutions.

Experts pointed out that the use of the sqlps tool allows to bypass Script Blocmdletck Logging, used to record the content of all script blocks that it processes.

Experts recommend to not expose MSSQL servers online, secure them with string admin credentials, apply the latest security updates, enable logging to monitor for potentially attack patters.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MSSQL servers)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment