Brute force attack on Microsoft SQL
Credit to Author: Ankita Ashesh| Date: Thu, 04 May 2017 06:16:42 +0000
In recent events, we have been observing that hackers have started targeting Microsoft SQL(MSSQL) servers using its open TCP port. The database is configured with weak password, despite administrators agreeing to the importance of it.
The reasons could be ease of use to the operator, lack of security awareness or simply underestimating risk factors.
By default, Microsoft SQL runs on TCP ports 1433/1434 with ‘SA’ as an administrator user.
Microsoft SQL Brute Force Attack Flow:
- The attacker uses port scanning techniques to identify the open ports on target system
- Once the attacker found port 1433/1434 in open state, it starts brute forcing the SA login which is a default administrator account
- The attacker usually holds a dictionary with the most common passwords used by database administrators, thus making the attack faster and successful in most cases
- Once the attacker has access to the ‘SA’ user, he gets the complete access of the database. Attacker may further exploit the system if Microsoft SQL server has vulnerabilities allowing the attacker to gain complete access of the operating system
Indicator of Infection:
- Microsoft SQL ‘SA’ user password changed unknowingly
- Multiple failed attempts to access ‘SA’ user
How much damage this attack can cause:
- Hacker can get the administrative access of database which is an integral part of any organization further which may result in loss of data and/or data getting stolen
How you can safeguard your system from this attack:
- Set complex password for database user like ‘SA’ user
- Disable the default user ‘SA’ and create another user with same privileges
- Change default TCP port i.e. 1433 to random port so that attacker cannot guess it easily
- Disable the Microsoft SQL(MSSQL) service if not used.
Ensuring above actions are in place is the primary prevention to stay away from these type of attacks. We also recommend customizing ‘Quick Heal Firewall’ which allows users to set the firewall rules to suit individual needs. If properly configured, Quick Heal Firewall can protect against these intrusion attacks by bottlenecking the network traffic to safeguard your network infrastructure. We have discussed similar ‘Firewall configuration’ in our previous blog about RDP brute force attacks.
Also, use Quick Heal Vulnerability Scanner available in enterprise suite (EPS) to identify vulnerabilities and further patch/fix them to avoid getting exploited by such miscreants.
ACKNOWLEDGMENT
Subject Matter Expert
• Shantanu Vichare
– Threat Research and Response Team
The post Brute force attack on Microsoft SQL appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/