Research by cybersecurity firm Trustwave shows that Microsoft’s popular MSSQL service is increasingly under attack.
SQL services contain ‘relational databases’, which are useful for all kinds of applications to access data. They are also popular targets for cybercriminals because they can contain sensitive data, from intellectual property to customer information. Within this market, Oracle, MySQL and Microsoft SQL are the most widely used database management services.
The Trustwave survey covered a limited number of countries. It chose to monitor the US, UK, Poland, Ukraine, Russia and China. The rationale behind this selection was that these were geopolitically tense states, with a rich array of malicious actors who would be hunting for sensitive data.
Specifically, Trustwave used so-called “low-interaction honeypots”. This means that these were fake targets on SQL services that had no other system set up for them that attackers could get into. It was purely a sensor to see if an attack took place, but not how these criminals operated.
For the UK and China, these countries are data hubs of sorts, with a lot of data hosted for other countries. Perhaps that explains why these two countries could count on the most MSSQL attacks. As for Ukraine and Russia, because of their current conflict, the motivation to attack databases is not really in doubt for long.
One quickly noticed a trend: the Microsoft SQL service was suspiciously targeted. Within the test period (4 months from 6 December 2022), more than 50 million login attempts took place at that service, which equivalently represented 93 per cent of all attacks. So striking that Trustwave is still working on further research, due to be published later this month.
Trustwave characterises the attacks on MSSQL as “very intense”. The distribution of attacks was also very different from MySQL and Redis. In these two cases, UK constituted the majority of measured login attempts (54.72 per cent for MySQL and 59.97 per cent for Redis).
Rather unsurprisingly, Trustwave’s advice is still brief: namely that it is important to protect databases properly. The well-known advice to keep unique passwords and MFA on them, for instance, also comes to mind.
However, it is crucial to keep up with database security when it comes to vulnerability scanners. Trustwave cites its own AppDetectivePro, something to be expected, of course, but not unjustifiably so.
It is particularly striking how different the picture is by database vendor. Oracle and IBM, for instance, saw far fewer access attempts in Trustwave’s honeypots. One suggests here that it could be explained by the type of data stored there or that attackers are less aware of any vulnerabilities. Either way, we are very curious as to what is so special about MSSQL, so to be continued.