Threat actors have launched a novel SQL server hacking
campaign leveraging the built-in utility "sqlps.exe" to facilitate brute-force attacks and SuspSQLUsage malware deployment, The Hacker News
Microsoft researchers discovered that the usage of the sqlps.exe utility, which is found across all SQL server versions, for executing recon commands and modifying the SQL service start mode has enabled fileless persistence.
Attackers have also been able to takeover SQL servers by utilizing sqplps.exe for sysadmin account creation, according to the report. Through fileless attacks that reduce the likelihood of antivirus system detections, threat actors have been able to better conceal malicious activity with typical network activity and administrative tasks, researchers said. Microsoft also noted that the new attacks indicate continued legitimate binary weaponization.
"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code," said Microsoft in a tweet.