Statistical Report on Malware Targeting MS-SQL Servers in Q4 2024

Overview

The AhnLab SEcurity intelligence Center (ASEC) analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks on vulnerable MS-SQL servers. This report will cover the current state of damage to MS-SQL servers that became attack targets based on the logs discovered in Q4 2024, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details. Malware strains are categorized by type such as CoinMiner, backdoor, Trojan, ransomware, and HackTool, and detailed statistics are also given for known malware strains in each category. 

 

Statistics

1. Attacks Against MS-SQL Servers 

The following statistics are based on the ASD logs for MS-SQL server targeted attacks confirmed during the fourth quarter of 2024. 

 

Figure 1. Attacks against MS-SQL servers in Q4 2024

 

The ‘Damage status’ indicates the quantity of systems that have become targets of malware or threat actors. In other words, systems where the MS-SQL server has been confirmed as compromised to facilitate malware installation. Attacks that target servers include vulnerability attacks against environments that do not have the necessary security patches applied, attacks against inappropriately set-up environments, and attacks against poorly managed servers. Inappropriately managed environments include the use of vulnerable account credentials which are at risk of brute force or dictionary attacks. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.

 

The ‘Attack status’ shows the number of times threat actors or malware attacked the system. For reference, these vulnerable MS-SQL servers generally become the target of multiple threat actors and malware, and consequently they tend to reveal infection logs from a variety of malware simultaneously.