Statistics Report on Malware Targeting MS-SQL in Q4 2023
Overview
The ASEC analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks on vulnerable MS-SQL servers. This report will cover the current state of damage to MS-SQL servers which have become the target of attacks based on the logs discovered in Q4 2023, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details. Malware are categorized by type, such as CoinMiner, Backdoor, Trojan, Ransomware, and HackTool, and detailed statistics are also given for known malware in each category.
During the fourth quarter of 2023, there were no significant differences in the major categories of malware used in attacks. However, there were several changes within each category. First, the PurpleFox attack, which accounted for a high proportion of CoinMiner attacks, was not detected. Additionally, the proportion of Remcos RAT in the backdoor category decreased significantly. On the other hand, attacks by the ShadowForce group increased similarly to the first quarter of 2023.
Statistics
1. Attacks Against MS-SQL Servers
The following statistics are based on the ASD logs for MS-SQL server targeted attacks confirmed during the fourth quarter of 2023.
Figure 1. Attacks against MS-SQL servers in Q4 2023
The “Damage status” indicates the quantity of systems that have become targets of malware or threat actors. In other words, systems where the MS-SQL server has been confirmed as compromised to facilitate malware installation. Attacks that target servers include vulnerability attacks against environments that do not have the necessary security patches applied, attacks against inappropriately set-up environments, and attacks against poorly managed servers. Improperly managed environments may include environments using account credentials vulnerable to brute force attacks or dictionary attacks. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.
The “Attack status” shows the number of times threat actors or malware attacked the system. These vulnerable MS-SQL servers generally become the target of multiple threat actors and malware. Consequently, they tend to reveal infection logs from a variety of malware simultaneously.
