Security researchers have identified the source of a SQL Server malware “MrbMiner” attacks allegedly tied to an Iranian software firm.
Cybersecurity firm Sophos recently discovered MrbMiner, a malware that targets internet-facing SQL database servers and then downloads and installs a cryptominer. Sophos alleges ties of MrbMiner to a small Iranian-based software development company.
Cybercriminals have long targeted database servers and its processing capability to hijack for cryptomining activities.
“SophosLabs found that the attackers used multiple routes to install the malicious mining software on a targeted server, with the cryptominer payload and configuration files packed into deliberately mis-named zip archive files,” Sophos wrote in the blog post.
According to Gabor Szappanos, threat research director of SophosLabs, the malware authors hard-coded in the miner’s configuration file the domains and IP addresses tied back to a small software company based in Iran.
“Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised it presents an open door for other threats, such as ransomware. It is therefore important to stop cryptojacking in its tracks,” Szappanos explained.
System admins should monitor systems for reduction in SQL Server speed and performance to detect potential cryptomining activities.
This also begs the question — why would organizations allow SQL Servers (or any database servers for that matter) to be connected directly to the internet and be such easy targets to hackers?
As we wrote in a previous post ‘Top 3 AWS security configuration mistakes,’ organizations need to make sure their security group policies restrict traffic to only necessary source and destination addresses.
In conclusion, database servers should instead only allow connections from “trusted” sources, such as approved web/app servers and jump servers used for remote administrative access.