New cyberattack created by the Chinese-backed Winnti Group has been discovered by researchers at ESET while being used to gain persistence on (MSSQL).
The new bitter tool skip-2.0 used by the attackers to classified MSSQL 11 and 12 servers, allows them to connect to any account on the server using a key that is “magic key” from this and they can hide their activities from security logs.
“This allows the attacker not only to gain tenacity in MSSQL Server through the use of a secret key but also to last thanks to the multiple log and event publishing mechanisms that are disabled when that key is used,” says ESET researcher Mathieu Tartare.
Winnti Group collection is growing
Winnti Group is protection used as the name of Chinese state-backed hacking groups assign the same bitter tools that have been in use since around 2011.
After examining the new classified, ESET’s researchers have also located that skip-2.0 shares with other Winnti Group malware, “
PortReuse, a Windows classifier, was used by the Winnti hackers in an attack targeting the servers of a high-profile Asian mobile software and hardware manufacturer.
MSSQL Server attacks 11 and 12
The compromised MSSQL server, the skip-2.0 classified proceeds to place the code in the sqlserv.exe process via the sqllang.dll, cover multiple functions used for logging an authentication.
“Testing of skip-2.0 against MSSQL Server various versions through this we were able to log in successfully using the special key only with MSSQL Server 11 and 12,” Tartare adds.
“The co-organizer is required for installing the hooks, skip-2.0 used on already compromised MSSQL Servers to gain resolution and reticent.”
Keep following us for more updates #TeamBugNResearch.