Researchers find stealthy MSSQL server backdoor developed by Chinese cyberspies

Chinese cyberspies have developed malware that alters Microsoft SQL Server (MSSQL) databases and creates a backdoor mechanism that can let hackers connect to any account by using a “magic password.”

Furthermore, as an added benefit, the backdoor also hides user sessions inside the database’s connection logs every time the “magic password” is used, helping hackers remain undetected even when administrators may suspect something is wrong.

ONLY WORKS WITH MSSQL 12 SERVERS

In a report published today, ESET said hackers deployed the backdoor as a post-infection tool, after compromising networks through other methods.

Named “skip-2.0,” ESET said the backdoor modified MSSQL functions that handle authentication. The idea is to create a “magic password.” If the “magic password” is entered inside any user authentication session, the user is automatically granted access, while normal logging and audit functions are prevented from executing, effectively creating a ghost session inside the server.

According to ESET, skip-2.0 only works with MSSQL 12 servers.

“Even though MSSQL Server 12 is not the most recent version (released in 2014), it is the most commonly
used one according to Censys’ data,” researchers said.

PART OF THE WINNTI/APT41 ARSENAL

The backdoor has been linked to “the Winnti Group,” a generic name ESET uses to describe Chinese state-sponsored hackers.

ESET said the skip-2.0 code contained clues that linked it to other Winnti hacking tools, such as the PortReuse and ShadowPad backdoors.

PortReuse is an IIS server backdoor that ESET found on the compromised networks of hardware and software vendors across South Asia earlier this year.

ShadowPad is a Windows backdoor trojan that was first seen injected inside apps manufactured by South Korean software maker NetSarang after Chinese hackers breached its infrastructure back in mid-2017.

“Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET researchers said.

However, the ESET team notes that once this hurdle is passed, skip-2.0 can be one of the most powerful tools in Winnti’s arsenal.

“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported,” ESET researchers said, referring to a string of hacks at gaming companies reported earlier this year, and which FireEye later linked to a group known as APT41.