Guardicore experts found mining botnet Vollgar, which brute-force Microsoft SQL databases to take control of the administrator account, seize the server and install Monero and Vollar cryptocurrency miners on it.
The researchers report that the threat has been active since at least May 2018 and is currently infecting approximately 2,000-3,000 new databases per day.
Researchers write that bruteforce attacks on MSSQL databases use more than 120 IP addresses, most of them located in China. Allegedly, attackers use previously compromised machines to search for and infect new victims. Some of them participated in only a few incidents, while a number of other IP addresses were active for more than three months.
Vollgar demonstrates constant "fluidity": the botnet loses servers daily and immediately adds new ones. According to Guardicore, more than 60% of all hacked MSSQL servers remain infected by Vollgar and mining malware for short periods of time (up to two days on average). Only 20% of infected systems remain infected for a week or more.
About 10% of victims suffer from repeated barriers. This usually happens because administrators do not remove all the components of the malware properly, leaving the opportunity to reinstall it.
Guardicore specialists have created a dedicated team to help victims deal with the problem properly. repository on githubwhere they placed scripts to detect files and backdoor accounts created by Vollgar.
The company's specialists note that currently there are a total of about 30 mining botnets operating on the Internet. Every day, they control thousands or even tens of thousands of cars around the world. Most of them are not tied to specific technologies, like Vollgar to MSSQL. So, the Top 5 most scanned ports and protocols include SSH, SMB, FTP, HTTP and MS-SQL.
Most of these botnets are still focused on mining Monero cryptocurrency. However, mining Monero is gradually becoming more difficult, so hack groups are gradually moving to lesser-known coins, such as Vollar (Vollgar botnet) or TurtleCoin (Nansh0u botnet).