With this backdoor access, hackers would be able to hide their presence without MSSQL’s connection logs. Even if admins know somethings is not right, they will not be able to detect the magic password attack. “Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET researchers said. Researchers for ESET said attacks that use the backdoor are implemented through a post-infection tool. However, hackers need to compromise a network through other means to start the malware attack. ESET names the exploit “skip-2.0” and describes it has a modified SQL Server function for authentication. The magic password can be used in any user sessions and allows the bad actor to gain automatic access to an account. MSSQL versions 12 and 11 servers are affected. “Even though MSSQL Server 12 is not the most recent version (released in 2014), it is the most commonly used one according to Censys’ data,” researchers said.
China Linked
ESET says the backdoor was likely created by “the Winnti Group” which is a state-sponsored cybercrime groups based in China. This link comes from similarities between skip-2.0 code and other Winnti created attacks, such as ShadowPad. With its ability to remain undetected, skip-2.0 is arguably the most potent attack Winnti has created. “Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported.”