Exploitation of SQL Common Language Runtime Assemblies: A Novel Attack Vector for Compromising Microsoft SQL Server Environments

Exploitation of SQL Common Language Runtime Assemblies: A Novel Attack Vector for Compromising Microsoft SQL Server Environments

연구 분야: Databases

학회: 2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)

This research investigates a novel attack technique employed by cybercriminals to compromise Microsoft SQL (MS SQL) servers. The attackers leverage the functionality of MS SQL Common Language Runtime (CLR) assemblies to establish persistent backdoors on targeted systems. Given the elevated privileges and trusted status of MS SQL servers, traditional security measures often fail to detect such intrusions. This work explores the attack methodology, detailing the exploitation of SQL CLR assemblies for crafting malicious backdoors. The attackers employ a multi-stage approach that includes brute-forcing publicly accessible SQL servers, creating backdoor user accounts, and deploying custom-designed CLR assemblies. These CLR assemblies are subsequently executed via SQL stored procedures or functions, granting the attackers comprehensive control over the compromised server. The research further explores post-exploitation activities conducted by the attackers which includes, but not limited to, cyber espionage, ransomware deployment and crypto-currency mining. Additionally, it proposes comprehensive mitigation strategies to safeguard MS SQL servers against this emerging attack vector. By highlighting this novel technique and emphasizing the importance of securing exposed database instances, this work contributes to a more robust defence posture against evolving cyber threats.