Thousands of MSSQL Databases infected by new MrbMiner malware

Once again it appears that good security is not an unnecessary luxury. A worldwide alarm has just been spread about malware that uses weak passwords in SQL Server. Using a brute force attack, one tries to guess the password of the sysadmin (sa) and then install software that is used to generate crypto coins. Not only Windows servers are targeted, the code also contains variants to attack Linux & ARM systems.

The malware installs, among other things, an account called “Default” with the password “@ fg125kjnhn987”. It is therefore recommended to scan all SQL Servers for this with the script below. Should this account occur, it is recommended to perform a full audit of the computer systems.

 

 

IF EXISTS (SELECT name FROM sys.server_principals WHERE upper(name) = 'DEFAULT')
    PRINT 'Potential malware detected on server [' + @@SERVERNAME + ']';

 

 

In line with this attack, we would like to emphasize once again the importance of a good security policy for SQL Server (already read our article about “Protecting your data against unauthorised reads on SQL Server”):

  • Only activate SQL authentication if it is really necessary.
  • Encourage suppliers of external software to release a version that can work with NT authentication.
  • Provide the “sa” account with a random password and then deactivate this account.
  • If a SQL account is really needed, provide it with a strong password. At least enable the option “Enforce password policy”.

 

Whenever needed, the Monin Microsoft SQL Server experts can help you finding the SQL accounts with easy-to-guess passwords. It can easily done by using certain scripts.

Interested? Just ask us for help via phone: +32 3 450 67 89 or via e-mail: info@monin-it.be