Security News > 2020 > April > Cyberscum target Microsoft SQL Server boxen – and some careless sysadmins were reinfected after cleaning it out
"The Vollgar attack chain also demonstrates the competitive nature of the attacker, who diligently and thoroughly kills other threat actors' processes," the firm said in a statement.
Lead researcher Ophir Harpaz said in a research report: "Overall, Vollgar attacks originated in more than 120 IP addresses, the vast majority of which are in China. These are most likely compromised machines, repurposed to scan and infect new victims."
Worse, around 10 per cent of the machines observed by Harpaz and her team were reinfected by Vollgar's operators - suggesting sysadmins may not be taking routine infosec hygiene as seriously as they perhaps ought to be.
Vollgar's two main attack methods are planting cryptominers to create virtual currency through stealing compute resources, and planting remote-access tools.
Guardicore Labs is also providing a free Powershell detection script aiding detection of Vollgar's tracks on infected machines, the outfit said.
News URL
Related news
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)