Brute force attack on Microsoft SQL

In recent events, we have been observing that hackers have started targeting Microsoft SQL(MSSQL) servers using its open TCP port. The database is configured with weak password, despite administrators agreeing to the importance of it. The reasons could be ease of use to the operator, lack of security awareness or simply underestimating risk factors.

By default, Microsoft SQL runs on TCP ports 1433/1434 with ‘SA’ as an administrator user.

Microsoft SQL Brute Force Attack Flow:

1. The attacker uses port scanning techniques to identify the open ports on target system
2. Once the attacker found port 1433/1434 in open state, it starts brute forcing the SA login which is a default administrator account
3. The attacker usually holds a dictionary with the most common passwords used by database administrators, thus making the attack faster and successful in most cases
4. Once the attacker has access to the ‘SA’ user, he gets the complete access of the database. Attacker may further exploit the system if Microsoft SQL server has vulnerabilities allowing the attacker to gain complete access of the operating system

Indicator of Infection:

1. Microsoft SQL ‘SA’ user password changed unknowingly
2. Multiple failed attempts to access ‘SA’ user

How much damage this attack can cause:

1. Hacker can get the administrative access of database which is an integral part of any organization further which may result in loss of data and/or data getting stolen

How you can safeguard your system from this attack:

1. Set complex password for database user like ‘SA’ user
2. Disable the default user ‘SA’ and create another user with same privileges
3. Change default TCP port i.e. 1433 to random port so that attacker cannot guess it easily
4. Disable the Microsoft SQL(MSSQL) service if not used.

Ensuring above actions are in place is the primary prevention to stay away from these type of attacks. We also recommend customizing ‘Quick Heal Firewall’ which allows users to set the firewall rules to suit individual needs. If properly configured, Quick Heal Firewall can protect against these intrusion attacks by bottlenecking the network traffic to safeguard your network infrastructure. We have discussed similar ‘Firewall configuration’ in our previous blog about RDP brute force attacks.

Also, use Quick Heal Vulnerability Scanner to identify vulnerabilities and further patch/fix them to avoid getting exploited by such miscreants.

ACKNOWLEDGMENT

Subject Matter Expert
• Shantanu Vichare
– Threat Research and Response Team