iMyFone LockWiper Crack With Serial Key 2020

iMyFone LockWiper Crack With License Key 2020

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Flvto Youtube Downloader Crack + Activator Download 2020

Flvto Youtube Downloader Crack With Activator Latest

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
Voicemod Crack + Serial Key Updated

Voicemod Crack Plus Serial Number

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
Dolby Access Crack + Activator

Dolby Access Crack With Keygen

Take advantage of stunning sound quality and realism in your multimedia experiences, with sound that surrounds you with the help of this app that gives you a free trial of Dolby Atmos.

FULL VERSION + CRACK
DraftSight Crack With Activator 2020

DraftSight Crack + Activator Updated

Rich-featured CAD application that enables users to quickly load, visualize and edit all their DWG files, as well as create new drawings from scratch

FULL VERSION + CRACK

IT News

Jun 5
Cisco issued 23 Security Advisories that describe 25 exposures in its IOS and IOS XE systems
Jun 5
Coming soon to a PC near you: the Chromium-based Edge browser.
Jun 5
Collaboration and design management also get nods in latest upgrade to the integrated devops platform
Jun 5
Animation and builds get special attention in the latest upgrade to the official IDE for Android development
Jun 4
If left unpatched, these SAP ASE vulnerabilities could give attackers full control of databases and servers.
Jun 3
C language tops Tiobe's index of language popularity for a second month, while Rust cracks the top 20 for the first time
Jun 3
Cisco Nexus NX-OS software could be exploited to create a DOS attack.

Categories

Attack campaign hits thousands of MS-SQL servers for two years

In December, security researchers noticed an uptick in brute-force attacks against publicly exposed Microsoft SQL servers. It turns out the attacks go as far back as May 2018 and infect on average a couple thousand database servers every day with remote access Trojans (RATs) and cryptominers.

Researchers from Guardicore Labs have dubbed the ongoing campaign Vollgar and traced it back to China. The scans and attacks originate from Chinese IP addresses -- likely associated with infected and hijacked machines -- and the command-and-control (C&C) servers are also hosted in China and uses Chinese language for their web-based management interfaces.

The infected MS SQL servers belong to organizations from various sectors, including healthcare, aviation, IT, telecommunications and education, with many located in China, India, US, South Korea and Turkey.

"With regards to infection period, the majority (60%) of infected machines remained such for only a short period of time," the researchers said in a report released today. "However, almost 20% of all breached servers remained infected for more than a week and even longer than two weeks. This proves how successful the attack is in hiding its tracks and bypassing mitigations such as antiviruses and EDR products. Alternatively, it is very likely that those do not exist on servers in the first place."

Infection and reinfection

Guardicore has seen an infection rate of between 2,000 to 3,000 machines daily, which is significant given that there are only around half-a-million MS-SQL servers on the internet -- a small number compared to other types of database servers. What's even more surprising is that 10% of systems become reinfected, which suggests administrators tried to clean the malware but missed some components or failed to change the weak credentials that led to the compromise in the first place.

The infections resulting from this campaign are thorough and have multiple components. The attackers are also aggressive in removing malware belonging to other competitors from the machines.

Once they gain access to a database server, attackers make configuration changes to enable WMI scripting and command execution through MS-SQL, features that might have been disabled by the administrator. They also ensure that cmd.exe, ftp.exe and other important binaries are executable and they proceed to add backdoor administrative accounts to both the database and the operating system.

The infection process involves clearing several registry keys that could be used by pre-existing malware to start automatically on system reboot or to attach itself to legitimate executables. The deployed payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, also scan the running processes for known malware and kill it. They then download multiple remote access modules and a cryptocurrency mining program based on XMRig.

The remote access modules contact the command-and-control domain on different ports, including 22251, 9383 and 3213. The researchers believe this is done for redundancy purposes in case one of the servers that make up the malware's infrastructure goes down.

"We found two C&C platforms used by the attacker," the researchers said. "These two platforms were developed by different vendors, but offer a similar variety of remote control capabilities to the attacker who controls them: downloading files, installing new Windows services, keylogging, screen capturing, running an interactive shell terminal, activating the camera and the microphone, initiating a DDoS attack, and more."

The cryptomining component uses the server's CPU resources to mine for Monero and another cryptocoin named VDS, or Vollar -- hence the name of the campaign. The CNC domain also uses the coin's name under a free TLD.

Mitigation for the Vollgar attack

Organizations should always assess whether their database servers -- or any servers -- really need to be exposed directly to the internet. If that can't be avoided, they should be protected with access control lists and strong access credentials that cannot be easily guessed. Enabling brute-force protection through rate limiting for failed authentication attempts is also recommended.

Guardicore Labs has published the indicators of compromise associated with this campaign on GitHub, as well as a PowerShell script that can be used to thoroughly scan a system for artefacts of a Vollgar infection.

The primary goal of this attack seems to be cryptocurrency mining, a method of abusing enterprise servers that has been increasingly popular and profitable over the past few years, but attackers also have the capability to do much more through the deployed RAT modules.

"What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold," the researchers said. "These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker's hands with only a simple brute-force."

This story, "Attack campaign hits thousands of MS-SQL servers for two years" was originally published by CSO.