Guardicore experts discovered the Vollgar mining botnet, which bruteforced Microsoft SQL databases to take control of the administrator account, seize the server and install Monero and Vollar cryptocurrency miners on it.
The researchers report that the threat has been active at least since May 2018 and is currently infecting approximately 2,000-3,000 new databases per day.Bruteforce attacks on the MSSQL database use more than 120 IP addresses, most of them located in China. Allegedly, attackers use previously compromised machines to search for and infect new victims. Some of them participated only in a few incidents, while a number of other IP addresses were active for more than three months”, – write the researchers.
Vollgar demonstrates constant “turnover”: the botnet loses servers daily and immediately adds new ones. According to Guardicore, more than 60% of all hacked MSSQL servers remain infected by Vollgar and mining malware for short time (up to two days on average). Only 20% of infected systems remain infected for a week or more.
About 10% of victims suffer from repeated barriers. This usually happens because administrators do not remove all the components of the malware properly, leaving the opportunity to reinstall it”, – tell Guardicore experts.
The company’s specialists note that currently there is about 30 mining botnets operating on the Internet. Every day, they control thousands or even tens of thousands of cars around the world. Most of them are not tied to specific technologies, like Vollgar to MSSQL. So, the Top 5 most scanned ports and protocols include SSH, SMB, FTP, HTTP and MS-SQL.
Most of these botnets are still focused on mining Monero cryptocurrency. However, mining Monero is gradually becoming more difficult, especially after a series of scandals with this cryptocurrency, so hack groups are gradually moving to less well-known coins, such as Vollar (Vollgar botnet) or TurtleCoin (Nansh0u botnet).
Recommendations from Guardicore:
The majority of attack campaigns, and including the Vollgar, involve network communication to CNC servers. Outgoing communications to such destinations can and should be blocked.
If infected, we highly recommend to immediately quarantine the infected machine and prevent it from accessing other assets in the network. It is also important to change all your MS-SQL user account passwords to strong passwords, to avoid being reinfected by this or other brute force attacks.
Additionally, to help victims cope with the Vollgar problem, Guardicore specialists created a special repository on GitHub where they placed scripts to detect files and backdoor accounts created by Vollgar.
