Brute-force credential guessing attacks against database servers are ramping up with MSSQL being at the top of the target list. That’s because attackers can leverage the many extensibility features that Microsoft’s database server provides to integrate with other Windows components and features to elevate their privileges and gain full control of the underlying servers.
Last week, researchers from security firm Trustwave released data collected over four months from their global honeypot project, a network of sensors distributed around the world to mimic vulnerable systems and record information about attacks. In this exercise, the honeypots were configured to act as popular database management systems (DBMS) running on their default ports: MS SQL Server (MSSQL), MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra and Couchbase.
“It quickly became clear that the activity of MSSQL has been much higher than other databases,” the researchers said. “The disproportion is so large (>93%) that comparing it to the other DBMSs was sometimes difficult.”
The researchers found that attacks happen in waves and have peaks, but the intensity of MSSQL brute-force attacks dwarfed those against any other database. For example, the second-most targeted database servers, MySQL and Redis, registered attack peaks of around 150,000 login attempts. By comparison, attacks against MSSQL honeypot sensors had peaks of over 3 million login attempts.
Another interesting finding is that even though Trustwave had MSSQL sensors deployed in different countries, attackers clearly displayed regional preferences in their attacks. For example, the sensors located in the UK were the most targeted ones with a bit higher number of attacks registered than those in China, even though China has a much higher number of MSSQL servers exposed to the internet. The US was in sixth place after countries like Ukraine, Russia, and Poland.
According to Shodan, more than 450,000 MSSQL instances are available on the internet with more than 133,000 instances located in China. One would expect China to top of the list for the number of attacks.