Sophos: Botnet Uses Brute-Force Attacks Targeting Vulnerable Databases
The operators behind the Kingminer botnet have recently started targeting vulnerable Microsoft SQL Server databases using brute-force methods in order to mine cryptocurrency, according to research released this week from security firm Sophos.
The Kingminer botnet, which has been active since 2018, is also now targeting unpatched SQL Server databases in an effort to exploit both the BlueKeep and EternalBlue vulnerabilities, according to Sophos.
In addition to exploiting known vulnerabilities, the operators behind the botnet are using malware such as the Gh0st remote access Trojan, the Gates backdoor and the Mimikatz password stealer in order to infect the SQL Server databases and inject the cryptominer, the report notes.
Once a SQL Server database is infected, the botnet installs a cryptominer called XMRig that mines for monero cryptocurrency, according to the report written by Sophos researchers Gabor Szappanos and Vikas Singh.
It is unclear how many systems this botnet has infected. Because of the malware’s use of publicly available exploitation tools, the researchers believe that the Kingminer operators are likely to expand the size of their operation.
“Kingminer is one of the many medium-sized criminal enterprises who are more creative than the groups who simply use builders purchased from underground marketplaces,” the report says. “As long as the sources of new tools and exploits are published, groups like Kingminer can and will continue to implement them into their arsenal, accelerating the adoption of the exploits and exploit techniques in the lower level tiers of criminality.”
Targeting SQL Servers
Kingminer botnet establishes an initial foothold in a SQL Server database using brute-force methods to guess the right combination of username and password, according to Sophos. The botnet then downloads various malware components from two separate servers controlled by its operators.
The first is a domain generation algorithm server, essentially a command and control server, that delivers the malicious content. The second is a public GitHub repository that hosts non-malicious tools such as the XMRig miner, reflective loader scripts and the Mimikatz password stealer, the report says.
Sophos researchers believe the botnet uses these tools to help evade detection. While DGA server names are dynamically generated and keep changing with time – which makes detection more difficult – the researchers note that the GithHub repository helps the botnet operators move to new accounts as the old ones are identified and shut down.
In the case of GitHub, operators use 20 separate accounts, according to Sophos.
In the next stage, the malware script is downloaded in a plain VBScript variation as well as a Scriptlet version, which will determine if the SQL Server is running a 32-bit or 64-bit operating system. Once the type of operating system is known, the botnet deploys custom payloads, the report notes.
The operators of Kingminer may also attempt to exploit a vulnerability listed as CVE-2019-0803, which can escalate privileges.
The last stage sees the botnet proceed to download the main cryptomining payload in three ways. This include running the malware through side loading, executing as a PowerShell script or by disguising the malware as a control panel program to prevent any detection, the report notes.
Once the XMRig is downloaded, the botnet begins mining for monero, according to Sophos.
Exploiting EternalBlue and BlueKeep
In addition to downloading the payload, the malware can also scan a SQL Server to determine if it has been patched for the EternalBlue vulnerability. The Sophos researchers note, however, the botnet operators are only in the early stages of experimenting with EternalBlue and have not successfully exploited it so far.
“The EternalBlue exploitation by Kingminer is still in early stage, and we have not seen successful infections with it,” Szappanos tells Information Security Media Group. “It is not unusual to use this exploit. Just like in the case of SQL attacks, once the tools become available, criminal groups happily take it and use it.”
The Sophos researchers also found that Kingminer will look to see if the infected SQL Server is vulnerable to the BlueKeep vulnerability. If it is, the operators will attempt to disable the remote desktop protocol access to prevent other cybercriminals and botnets from exploiting the same vulnerability.
Botnets and SQL Servers
Over the past several months, other security researchers have found several botnets that are also taking advantage of vulnerable SQL Server databases for illegal cryptomining.
In April, researchers at the security firm Guardicore Labs discovered a botnet called Vollagar that exploits vulnerable SQL Servers for cryptomining. The botnet itself appears to have originated in China (see: Botnet Targets Devices Running Microsoft SQL Server: Report).
“The reason why we see so many attacks targeting SQL Servers is that methods and tools for attacking these servers are generally available in underground sites and forums,” Szappanos tells ISMG. “It’s a typical pattern with cybercriminal tactics that once the information becomes available, many criminal groups will jump on the opportunity and use it for attacks.”
Managing Editor Scott Ferguson contributed to this report.