How Poor Passwords Turned 50,000 Servers Into Cryptocurrency Miners

Shimrit Tzur-David | June 26, 2019

In May, researchers from security firm Guardicore uncovered a massive campaign by Chinese hackers to break into online Windows servers and to infect them with cryptocurrency miners. Cryptominers are special malware that hijack the resources of the infected machine to solve complicated mathematical equations and collect cryptocurrency rewards.

As explained by the security researchers, the hackers used sophisticated techniques along the way. They downloaded their malicious payload through a hidden and unpatched security vulnerability in Windows Server. They used a special rootkit to protect their malware against antivirus tools and other endpoint security solutions. They tricked an official certificate authority to digitally sign their malware so they could disguise it as a legitimate software.

But the one thing that gave them access to all those servers in the first place was weak passwords.

Brute-forcing MS SQL Server’s administrator account

To carry out their attack, the hackers scanned the internet for Windows machines running Microsoft SQL Server, a popular database application. Once they found the servers, they used a brute-force dictionary attack to find SQL Server machines that had set weak passwords on their administrator account.

In the default installation of SQL Server, the administrator account (usually named “sa”) not only has administrative access to the database server, but also has full system access to the entire operating system. This means that anyone who gains remote access to the database administrator account can in fact do anything on the server, including opening up network ports, downloading files and executing scripts. 

Yes. I know. It sounds absurd for a server administrator to protect such a critical account with a weak password. But as the cryptocurrency mining campaign has shown, there were at least 50,000 servers whose owners didn’t think they should choose a strong password for their database administrator account.

But the episode also reminds us of a more biting truth: It’s 2019, and password hacks are nothing secret. There is virtually no one who hasn’t heard of at least one of the many data breaches in which the attackers leveraged poor passwords on targeted accounts. There are thousands of articles that advise you on choosing strong complex passwords, changing your passwords regularly, not reusing passwords, etc.

But people are still making poor choices and prioritizing convenience over security when setting passwords for their most sensitive accounts. And we’re not just talking about your average consumer. These are server administrators who should know better.

This brings us to a conclusion that we’ve reiterated in these pages time and again: A secure password is one that doesn’t exist.

Going passwordless with SQL Server

Interestingly, the administrators of the servers that fell victim to the cryptominer malware could have easily adopted a password-less approach to seccruring their SQL Server installation and prevented their machines from wasting their resources to fill the pockets of cybercriminals.

As a Microsoft product, SQL Server supports “Windows Authentication” mode, which enables applications and users to access databases and the server through their Windows user accounts instead of providing separate usernames and passwords. Windows Authentication mode also works with Active Directory, Windows’s LDAP service, which means that if the server is part of a corporate network, SQL Server’s user access can be administered through AD.

When Windows authentication is enabled, a remote agent will need to first authenticate itself with the machine’s Windows system, which is much harder to compromise than the classic plain username/password authentication mode. 

But the added benefit of integrating MS SQL Server with Active Directory (AD) is that you can actually remove passwords. Microsoft is among the leading tech giants that understands the need to eliminate passwords and has added support for passwordless authentication to recent versions of its Active Directory service. 

Active Directory also supports integration with third-party passwordless authentications. This helps companies find versatile solutions that meet the specific needs of their businesses. A misconfiguration caused 50,000 servers to fall victim to cryptominers. A smart and easy-to-use passwordless solution can save hundreds of thousands against similar attacks.

Integrating Secret Double Octopus with Active Directory

Secret Double Octopus was founded with the vision that all online services should have access to secure, easy-to-deploy and easy-to-use passwordless authentication. Secret Double Octopus’s flagship passwordless authentication technology integrates with several popular LDAP services, including Microsoft Active Directory.

After you install Secret Double Octopus on your Active Directory server, users no longer need to enter their passwords when logging into their corporate Windows account. Instead, they use their mobile device and the Octopus Authenticator app to approve an authentication request. The Octopus Authenticator uses unbreakable cryptography to verify the identity of the user on-device in a way that is totally immune to known cyberattacks such as man-in-the-middle (MitM) and phishing. The authentication process takes place on multiple channels, including on-device (biometric authentication and PIN) and in the Octopus server, which makes it virtually impossible to spoof logins and forge identities. 

The direct result of using a passwordless authentication solution such as Secret Double Octopus is something that was thought impossible until not long ago: an authentication experience that is both secure and easy to use.

Password-less authentication provides SQL Server administrators with a seamless experience. With a single, secure logon to their enterprise AD account, they will be able to access and manage their database server without going through the cumbersome process of separate logins and handling various usernames/passwords.

At the same time, the system provides infrangible protection against password hacks and brute-force dictionary attacks, which again translates to overall efficiency and less clutter for the enterprise’s security team and reduced IT costs for the organization.

As the SQL Server cryptominer episode reminded us once again, password hacks are not going away. So every password removed from your system is one less vector of attack for cybercriminals.