You Got Your SQL Attacks In My Honeypot presented at grrcon 2017

by Andrew Brandt,

Summary : Among the many automated attacks that target the honeypots hosted on my lab network, one of the most interesting in recent memory is also, now, among the most frequent: An automated, Mirai-like attempt to worm malware onto what the attackers clearly think is a Microsoft SQL server, using SQL commands in the tabular data stream (TDS) format. The attacks employ easily-readable commands, some of which have been encoded into base64 to be used as stored procedures for, one might presume, more efficient attack delivery.
In this session, attendees will get a detailed walkthrough of the attack methods in use by the operator(s) of this campaign, including but not limited to analysis of malware the attacker attempts to deliver to a victim server. The attacker(s) appear to be using this method to infect server-grade hardware with a variety of malware including RATs and ransomware. The attackers also employ a number of dead-drop servers of their own, used for hosting malware payloads, and appear to validate connections to ensure the requests for the malware originate from a server and not from an analyst — but we’ve managed to get around that, too. Attendees will also learn what we’re able to determine about the network addresses from which the attacks appear to originate, using Symantec+Blue Coat’s network reputation data.