Tencent Security points out thousands of Microsoft SQL servers have been compromised. Researchers from the security division of the Chinese tech giant says it calls the previously unknown hacking group MrbMiner. This is in reference to a domain the group uses in some malware attacks. MrbMiner has been able to spread the botnet by finding Microsoft SQL servers online and hitting them with brute-force attacks. This method consists of bombarding admin accounts with passwords in the hope some servers have weak passwords. Considering the rate of infection, the method is working. When the bad actors access a server, they can enter a system to download an assm.exe file. With this file, they can create a boot persistence tool that allows backdoor entry into the account. With access available, attackers can finalize the malware to download a mining app to mine the Monero (XMR) cryptocurrency. The mining tool functions by compromising the resources of local servers to mine and send coins to the hackers.
Attacks
Tencent Security points out infections have been observed on MSSQL servers, by the MrbMiner malware was also found on Linux servers and ARM systems. Looking at the Linux variant of the malware, the company found a Monero wallet. While these attacks are obviously problematic, there are a couple of things hosts of MSSQL users can do. Firstly, ensuring the server is protected by a legitimately strong password will like thwart any attacks from MrbMiner. To check if a system is compromised, scan the server for Default/@fg125kjnhn987 backdoor account. If this is found, full network audits are necessary to stop the infection.
