A poorly managed Microsoft SQL (MS SQL) server CLR SQL Shell It ultimately facilitates the deployment of cryptocurrency miners and ransomware.
“Similar to a web shell that can be installed on a web server, SqlShell, once installed on an MS SQL server, is a malware strain that supports various functions such as executing commands from threat actors and performing all kinds of malicious actions. ,” said AhnLab. The Security Emergency Response Center (ASEC) said in a report released last week.
A stored procedure is a subroutine containing a series of Structured Query Language (SQL) statements used between multiple programs in a relational database management system (RDBMS).
CLR (short for Common Language Runtime) stored procedures – available starting with SQL Server 2005 – refers to stored procedures written in a .NET language such as C# or Visual Basic.
An attack technique discovered by a South Korean cybersecurity firm uses CLR stored procedures to install malware on MS SQL servers using the xp_cmdshell command. This command launches a Windows command shell and passes the instructions as input for execution.
Some of the techniques used by threat actors, such as those associated with LemonDuck, MyKings (a.k.a. DarkCloud or Smominru), and Vollgar, exploit Internet-exposed MS SQL servers via brute force and dictionary attacks, using xp_cmdshell commands and It has to do with executing stored OLE. Follow the steps and run the malware.
The use of CLR stored procedures is the latest addition to this list, with attackers leveraging SqlShell routines to deliver next-stage payloads such as Metasploit and cryptocurrency miners such as MrbMiner, MyKings, and LoveMiner. Download.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
Additionally, SqlShell named SqlHelper, CLRSQL, and CLR_module can be used by various adversaries to elevate the privileges of compromised servers, launch ransomware and proxyware, and incorporate the ability to perform reconnaissance activities on targeted networks. used by people.
“SqlShell may install additional malware such as backdoors, coinminers, proxyware, or execute malicious commands received from threat actors in a manner similar to WebShell,” ASEC said. Stated.
