Why is China all up in my SQL server?

Presented at BSidesLV 2017, July 26, 2017, 10 a.m. (55 minutes)

Starting early in 2017, the honeypots I run in my lab began to receive a strangely large volume of inbound SQL connections from all over Asia, but mainly from China. Fortunately, I am recording the traffic of virtually everything that hits my dirty network, and discovered that the attacks appear to be automated, run at high volumes, and engage in a sophisticated and complex attempt to break into Microsoft SQL Server. In this presentation, I will provide a full walkthrough of the attack, detailing the methods in use and countermeasures you can employ to protect your server. I'll also provide historical and reputational context about the attackers' originating IP addresses and the other dirty stuff coming from those addresses. And let me tell you, it's pretty dirty.

Presenters:

• Andrew Brandt / Spike - Director of Threat Research - Symantec   as Andrew Brandt
  Andrew Brandt is a network forensics and incident response nerd who loves running malware just to watch machines die. In his spare time he builds retro videogame platforms and rides mountain bikes, preferably in the dead of night. If you meet in person, talk to him about new music.

Links:

• https://bsideslv2017.sched.com/event/BNFB/why-is-china-all-up-in-my-sql-server

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / SQL Server Hacking on Scale using PowerShell
• THOTCON 0x8 (2017) / SQL Server Hacking on Scale using PowerShell
• ToorCon: Seattle 2013 / The 20-minute simple SQL rootkit