HomeWinBuzzer NewsMicrosoft SQL Server China-Backed Exploit Can Gain Account Access Without Detection

Microsoft SQL Server China-Backed Exploit Can Gain Account Access Without Detection

Researchers says a new malware attack is targeting Microsoft SQL Server and can be undetected by users during exploit.


Security researchers have disclosed a malware that can change (MSSQL) databases to give attackers access to accounts. According to the research, the malware has been created by Chinese bad actors. With the SQL Server exploit, attackers can instigate a backdoor into accounts through a “magic password”.

With this backdoor access, hackers would be able to hide their presence without MSSQL's connection logs. Even if admins know somethings is not right, they will not be able to detect the magic password attack.

“Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET researchers said.

Researchers for ESET said attacks that use the backdoor are implemented through a post-infection tool. However, hackers need to compromise a network through other means to start the malware attack.

ESET names the exploit “skip-2.0” and describes it has a modified SQL Server function for authentication. The magic password can be used in any user sessions and allows the bad actor to gain automatic access to an account.

MSSQL versions 12 and 11 servers are affected.

“Even though MSSQL Server 12 is not the most recent version (released in 2014), it is the most commonly used one according to Censys' data,” researchers said.

China Linked

ESET says the backdoor was likely created by “the Winnti Group” which is a state-sponsored cybercrime groups based in China. This link comes from similarities between skip-2.0 code and other Winnti created attacks, such as ShadowPad.

With its ability to remain undetected, skip-2.0 is arguably the most potent attack Winnti has created.

“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News