A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


You Got Your SQL Attacks In My Honeypot - Andrew Brandt GrrCON 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

You Got Your SQL Attacks In My Honeypot
Andrew Brandt
GrrCON 2017

Among the many automated attacks that target the honeypots hosted on my lab network, one of the most interesting in recent memory is also, now, among the most frequent: An automated, Mirai-like attempt to worm malware onto what the attackers clearly think is a Microsoft SQL server, using SQL commands in the tabular data stream (TDS) format. The attacks employ easily-readable commands, some of which have been encoded into base64 to be used as stored procedures for, one might presume, more efficient attack delivery. In this session, attendees will get a detailed walkthrough of the attack methods in use by the operator(s) of this campaign, including but not limited to analysis of malware the attacker attempts to deliver to a victim server. The attacker(s) appear to be using this method to infect server-grade hardware with a variety of malware including RATs and ransomware. The attackers also employ a number of dead-drop servers of their own, used for hosting malware payloads, and appear to validate connections to ensure the requests for the malware originate from a server and not from an analyst but we,ve managed to get around that, too. Attendees will also learn what we,re able to determine about the network addresses from which the attacks appear to originate, using Symantec+Blue Coat,s network reputation data.

Back to GrrCON 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast