An attack campaign called Vollgar hiddenly attacking Microsoft SQL servers for over 2 years was discovered by Guardcore. The attack source is believed to be China, and the attacks are conducted by installing remote control back door and cryptocurrency mining tools to botnet infected computers.
This Botnet named Vollgar is designed to breach servers with a password brute force attack against MS SQL and exploit to mine virtual currency called Vollar.
The increasing number of brute-force occurrences on SQL servers in December 2019 triggered the investigation which led to the discovery of Vollgar attack continued since May 2018. The analysis shows that about 2000 to 3000 database servers are infected every day.
About 60% of servers infected by Vollgar have been recovered within 2 days, however, the remaining 40% is still in quarantine. In addition, 10% of the bot removed servers seem to be infected again by Vollgar due to the deep-rooted bot activities. Servers infected by Vollgar is known to behave normally without any visible symptoms, making the discovery difficult.
Vollgar will download a variety of attack modules such as IP scan and password brute force hack through a dedicated Command & Control (C&C) server organized by the hacker. Research shows that the C&C server is hosted in China.
Measures to Vollgar Infection
An effective measure to avoid Vollgar infection recommended by Guardcore is to increase the password strength for MS SQL as it will exponentially increase the time to perform brute force hacking.
A PowerShell script that will determine whether or not the computer is infected with Vollgar is released on GitHub.