If you haven't heard of Skip-2.0 yet, prepare to be dismayed.
Security researchers have recently discovered an undocumented (until now) backdoor designed for Microsoft SQL servers.
It will allow a hacker working remotely to stealthily take control of a previously compromised system.
Worse, this is not theory or conjecture. Researchers have found malware strains in the wild that take advantage of the backdoor, allowing attackers to remotely connect to any account on the server running MSSQL version 11 or 12 by using a "magic password."
And it includes code that makes it invisible
As bad as that sounds, it gets worse. The Skip-2.0 malware contains code that disables the compromised machine's logging functions, audit mechanisms, and event publishing every time the "magic password" is used so that it leaves no trace, which is why it's so difficult to detect.
This gives the malware the freedom and flexibility to move seamlessly through the target system, where it can copy, change, or delete any content stored on it. That is, all while keeping the system's owner or user blind and in the dark as to what's happening. In their most recently published cybersecurity report, the security firm ESET attributed the Skip-2.0 backdoor to an organization known as the Winnti Group, which is a state-sponsored threat actor with Chinese backing.
As evidence in support of this conclusion, the researchers involved with drafting the report point to numerous similarities between Skip-2.0 and other tools developed and used by the Winnti Group, including PortReuse and ShadowPad.
In addition to that, Skip-2.0 utilizes an encrypted 'VMProtected' launcher, an 'inner-0loader' injector and hooking framework and a custom packer to install its payload, which again, is identical to the structure of other Winnti Group tools.
Our perspective
In basic terms, this is just another malware threat to emerge in the tech world. If there's a silver lining in all of this, it is the fact that MSSQL 11 and 12 are not the most recent versions, so the fix is fairly simple. Just upgrade to a version beyond 12 and you can avoid the risks associated with this new threat.
Note: Version 11 is SQL Server 2012 and Version 12 is SQL Server 2014. So upgrade to Azure and take advantage of the Azure Hybrid Benefit. It will save you a ton of money. Or stay on-prem with SQL Server 2016, 2017, or 2019
As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there!"
Meanwhile, check out this report
This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them
The author
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.
I am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid information solutions for smaller healthcare, insurance, financial, legal, and nonprofits firms in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations, as well as providing small business technology education programs through business and professional associations. This just in: I will be speaking regularly at California Lutheran University's Center for Nonprofit Leadership starting in September.
Contact me if you would like me to speak at your association.
