Recently, the Guardicore Labs team released an analysis report of the long-term attack activity, which mainly targeted Windows systems running MS-SQL services. According to the analysis report, this attack started at least in May 2018. The attacker will perform brute-force attacks on the target’s MS-SQL. After successfully logging into the target system, hackers deploy backdoors and run malicious programs such as remote control tools in the system. This series of attacks was named the Vollgar campaign.
It is a very common attack method to brute force account login system and then implants malicious programs, but the report states that there are still 2-3 thousand databases that are compromised in Vollgar attacks every day, including Turkey and the United States, China, India, South Korea, the affected industries cover many fields such as medical, aviation, IT, telecommunications, and education.
Guardicore Labs provides the PowerShell self-examination script Script – detect_vollgar.ps1, and the self-examination script detect_vollgar.ps1 can implement local attack trace detection. The detection contents are as follows:
The script detects traces of the campaign’s attacks:
- Payload files in various file-system locations
- Services and scheduled task names
- Backdoor usernames
If the machine has any such residues, the output will contain the sentenceEvidence for Vollgar campaign has been found on this host.
In such case, you should:
- remove traces of the attack from the paths specified in the output
- terminate the malicious processes
- contact Guardicore Labs