RATs Can be a Security Threat to Your SQL Servers

by Nov 20, 2020

Before you click away, let me assure you that this post is not about rodents chewing on power cords or networking cables. RATs is an acronym for remote access Trojans and they are able to cause much more damage than that caused by a small mammal running rampant in your data center. There might be one living on the Windows machine that hosts your SQL Server database, just waiting for the right time to spring into action. 

A Brief History of RATs

Remote access trojans have been a part of the computing landscape since the 1980s with the emergence of tools like NetBus and NetSupport. Couched as remote access support tools, these programs were originally designed by hackers looking to have fun by remotely taking control of their friends’ computers. Initially, the pranks were restricted to things like opening the CD tray or making changes to desktop settings. These incursions into other computers may have been annoying but were essentially harmless. 

During the 1990s at least 16 RATs were developed and deployed. The focus of the perpetrators started to shift from simply causing havoc to making money with their malicious software. An example is a RAT known as Beast which first appeared in 2002. It was one of the first pieces of malware that included a reverse connection to its victims. The code was capable of bypassing firewall protection and killing antivirus processes.

Gh0st is another RAT that illustrates the ease with which malware can be obtained by a motivated team or individual. It was written by a Chinese hacker group and was used in the Gh0stNet Operation which was discovered in 2009. Computers used by political, media, and economic organizations in over 100 countries were compromised. The software collected and encrypted data which was then sent back to the hacker’s command and control server. Gh0st was made available to anyone interested in hacking who was willing to risk downloading software from potentially suspicious websites. It was no longer necessary to have the skills required to write malware to use it.

What started as an exercise in programming skill for the purpose of executing pranks has turned into a cottage industry intent on creating malicious software used by cybercriminals and state-sponsored hacker groups. Taking a page from cloud providers’ playbooks that offer a plethora of software as a service (SaaS) products, RAT entrepreneurs are now selling their wares to anyone willing to pay for them. Often at a surprisingly low price. The majority of these malware products focus on machines running the Windows operating system. 

Researchers have identified more than 250 new RATs developed between 2011 and 2020. Some, like Luminosity Link, have user interfaces that rival professional applications and make it easy for anyone to engage in malevolent behavior. One of the problems with identifying RATs is that they are advertised as legitimate remote control support software. What may appear to be a useful software tool may have been launched with the intention of remaining dormant for many years before being used for its nefarious purpose.

How RATs Can Impact an SQL Server Environment

A long-term campaign was discovered in early 2020 that specifically targets Windows computers running Microsoft SQL Server. Dubbed Vollgar by researchers, the attack to deploy the malware uses brute-force login techniques to identify weak credentials with which to breach SQL Servers that are exposed to the Internet. Beginning in 2018, thousands of SQL Servers were infected with malware that opened backdoors to hackers and planted RATs and crypto miners on the affected machines. 

At the height of its infection rate, more than 3,000 SQL Servers were impacted daily. Systems were victimized in the healthcare, IT, aviation, and higher education sectors in China, India, the US, South Korea, and Turkey. Once the security of an SQL Server has been compromised, the attack makes configuration changes that allow it to run malicious SQL commands and download additional malware, including a variety of RATs.

Some of the reasons that SQL Servers appeal to hackers is the CPU power available for crypto-mining and the large amounts of data that they may be able to steal. With many SQL Servers used to store sensitive information, choosing them as a target makes good sense from a cyber criminal’s perspective. From a DBA’s POV, they need to keep their database servers free of RATs and other types of digital vermin.

Implementing Robust SQL Server Security

Exploiting weak points in SQL Server security is one of the ways that malware like RATs gets deployed. Identifying and remediating those weaknesses is one of the most important activities a database team performs. Database performance becomes an afterthought when enterprise data has been compromised. To adequately protect data assets, DBAs need to have the right tools at their disposal.

IDERA’s SQL Secure addresses the problems of SQL Server security with a multi-faceted approach. The tool detects weak or missing passwords that may allow intrusion by hackers. It also analyzes operating system security to alert you to issues that affect SQL Server security. SQL Secure works with your in-house or cloud instances and identifies port, protocols, and APIs that may be prone to attack by malware. 

Additional features of this security application include the ability to analyze effective rights and database roles and permissions so exploitable gaps can be identified and addressed. Powerful reporting capabilities enable customized reports to be generated for auditing and compliance. Security scorecards give team members an efficient method of quickly checking on potential issues before they become data breaches. SQL Secure will help eliminate the presence of those nasty RATs and protect your organization’s valuable data.