In recent events, we have been observing that hackers have started targeting Microsoft SQL(MSSQL) servers using its open TCP port. The database is configured with weak password, despite administrators agreeing to the importance of it. The reasons could be ease of use to the operator, lack of security awareness or simply underestimating risk factors.
By default, Microsoft SQL runs on TCP ports 1433/1434 with ‘SA’ as an administrator user.
Microsoft SQL Brute Force Attack Flow:
Indicator of Infection:
How much damage this attack can cause:
How you can safeguard your system from this attack:
Ensuring above actions are in place is the primary prevention to stay away from these type of attacks. We also recommend customizing ‘Quick Heal Firewall’ which allows users to set the firewall rules to suit individual needs. If properly configured, Quick Heal Firewall can protect against these intrusion attacks by bottlenecking the network traffic to safeguard your network infrastructure. We have discussed similar ‘Firewall configuration’ in our previous blog about RDP brute force attacks.
Also, use Quick Heal Vulnerability Scanner to identify vulnerabilities and further patch/fix them to avoid getting exploited by such miscreants.
Subject Matter Expert
• Shantanu Vichare
– Threat Research and Response Team