Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced.
According to the report it installs an application written in C# by the name of
assm.exe which communicates with a command-and-control server to download a digital coin mining tool, which may be disguised as various Windows system services. The malware uses several techniques to ensure that it sticks around.
If you run a SQL Server instance (including development and test environments), please be on the lookout for a user by the name of
Default with the password
@fg125kjnhn987. This will be confirmation that your instance is compromised and that you need to remove the malware, fix your security, and possibly restore from a backup that was taken before the infection occurred.
More importantly you should remove public access to your SQL Server environment (again, this includes development and testing environments). If you need to connect to a remote SQL Server instance for any reason, use a jump box, a VPN, or an SSH tunnel.
Leave your thoughts in the comments below.