Security researchers discovered a Chinese hacking group “Winnti” using a new malware named “Skip-2.0” to get access to Microsoft SQL (MSSQL) Servers. It’s said that the Winnti group was active since 2012 and responsible for high-profile attacks against Gaming studios and IT companies.
According to the IT security firm ESET, Skip-2.0 malware, when installed in memory, provides attackers with a “Magic Password” that allows them to access any MSSQL account running on MSSQL Server version 11 or 12.
Once exploited, the attackers can copy, alter or delete a database’s content. However, ESET stated that Skip-2.0 is a post-exploitation tool, which means that MSSQL servers must be compromised before for the attackers to have the admin access. ESET also stated that it found multiple similarities between Skip-2.0 and the PortReuse backdoor, another tool used by the Winnti group.
“We received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal. This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain,” ESET said in a statement.
“In-game currency database manipulations by Winnti operators have already been reported. To the best of our knowledge, skip-2.0 is the first MSSQL Server backdoor to be documented publicly. Note that even though MSSQL Server 11 and 12 are not the most recent versions (released in 2012 and 2014, respectively), they are the most commonly used ones according to Censys’s data,” ESET added.
A similar research from ESET recently uncovered a Russian-based hacking group “Cozy Bear”, the group behind the 2016 U.S. Presidential election hack. It stated the group has been working under the radar to attack the Foreign Ministries in Europe.
Cozy Bear, also known as APT29, is believed to be linked to the Russian intelligence service and Russian military hacking group Fancy Bear, which was involved in high profile attacks between 2014 and 2017.
The researchers stated the group continued their malicious activities while staying under the radar. Cozy Bear recently targeted ministries of foreign affairs of three different countries in Europe, as well as the U.S. embassy of a European Union country in Washington DC.