{"id":25429,"date":"2022-10-07T00:58:07","date_gmt":"2022-10-07T00:58:07","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=25429"},"modified":"2022-10-07T00:58:10","modified_gmt":"2022-10-07T00:58:10","slug":"mssql-backdoor-maggie","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/mssql-backdoor-maggie\/","title":{"rendered":"New MSSQL Backdoor ‘Maggie’ Infects Hundreds of Servers Worldwide"},"content":{"rendered":"\n

DCSO CyTec researchers Johann Aydinbas and Axel Wauer are warning of new backdoor malware<\/a> they\u2019re calling “Maggie,” which targets Microsoft SQL servers. Maggie, the researchers say, has already affected at least 285 servers in 42 countries, with a particular focus on South Korea, India, Vietnam, China, and Taiwan.<\/p>\n\n\n\n

The malware offers a wide range of functionality, including the ability to change file permissions, run commands, and act as a network bridge into the infected server. \u201cIn addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins,\u201d the researchers wrote in a blog post<\/a> earlier this week.<\/p>\n\n\n\n

The DLL file, which offers a single export called maggie <\/em>(hence DCSO\u2019s name for the malware), is an Extended Stored Procedure (ESP) designed to fetch user-supplied arguments and return unstructured data. \u201cMaggie<\/em> utilizes this message-passing interface to implement a fully functional backdoor controlled only using SQL queries,\u201d the researchers wrote.<\/p>\n\n\n\n

While it\u2019s unclear how an attack with the malware is performed in the real world, Aydinbas and Wauer said the attacker has to have valid credentials to load it into the server.<\/p>\n\n\n\n

See the Top Database Security Solutions<\/a><\/p>\n\n\n\n

TCP Redirection<\/strong><\/h2>\n\n\n\n

Maggie\u2019s functionality includes simple TCP redirection. \u201cWhen enabled, Maggie<\/em> redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask,\u201d the researchers wrote. \u201cThe implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie<\/em>.\u201d<\/p>\n\n\n\n

Aydinbas and Wauer also noted that Maggie<\/em>\u2019s command list includes four that suggest exploit usage: Exploit AddUser, Exploit Run, Exploit Clone, <\/em>and Exploit TS<\/em>. \u201cIt appears that the actual implementation of all four exploit commands depends on a DLL not included with Maggie <\/em>directly,\u201d they wrote. \u201cInstead, the caller provides a DLL name as well as an additional parameter when calling each function. We therefore assume the caller manually uploads the exploit DLL prior to issuing any exploit commands.\u201d<\/p>\n\n\n\n

Still, the researchers weren\u2019t able to uncover any potential exploit DLLs that Maggie <\/em>might be referencing in order to do so.<\/p>\n\n\n\n

Also read: 7 Database Security Best Practices<\/a><\/p>\n\n\n\n

Top China-Exploited Vulnerabilities Revealed<\/strong><\/h2>\n\n\n\n

It’s been quite a week for Microsoft vulnerabilities. In addition to Maggie and ProxyNotShell<\/a>, four Microsoft vulnerabilities – including well-known ones like ProxyLogon – made a list<\/a> of the 19 vulnerabilities most exploited by China state-sponsored hackers. The U.S. cybersecurity agencies list includes other well-known vulnerabilities like Log4j<\/a>. ProxyLogon also figured prominently in a 2021 defense organization hack revealed<\/a> this week.<\/p>\n\n\n\n

For organizations struggling with patch management, lists like these and CISA’s Known Exploited Vulnerabilities<\/a> are very good places to focus patching efforts.<\/p>\n\n\n\n

Read next: The Best Patch Management Software & Tools for 2022<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n