Winnti (China): According to research at ESET, a new malware called Skip 2.0 has been linked to the Winnti group, also known as APT41. The malware will create a backdoor that lets threat actors connect to any account using a “magic password.” The backdoor that is created will only work with Microsoft SQL Server (MSSQL) versions 11 and 12. The malware alters the MSSQL databases and deploys the backdoor as a post-infection tool after the network has been compromised through other means. The backdoor alters the functions on MSSQL servers that handle authentication to generate the “magic password.” If successful, the password can then be entered inside any user authentication session and the user is automatically granted access. After permission is granted, the malware prevents the execution of normal logging and audit functions, essentially creating a ghost session for that user. By hiding the session inside in the database connection logs, the “magic password” helps the threat actor remain undetected even if the administrators suspect wrongdoing. Because this backdoor is stealthy, it could allow the actors to copy, steal, or modify the database contents. Winnti has been known in the past for targeting gaming companies; in this instance in-game currency database manipulations could take place, leading to financial gain for the Winnti group. Skip 2.0 has links to other tools previously used by Winnti such as PortReuse and ShadowPad backdoors. Administrative privileges are needed to install Skip 2.0; therefore, the Microsoft SQL Servers must be compromised before this backdoor is utilized.
Any company that is using the affected version of MSSQL servers should look for any sign of a compromise. MSSQL servers can be updated to version 15 and should be done as soon as possible. People running outdated versions of MSSQL should update to the most recent version to prevent problems that come from using outdated software. Utilizing a monitoring service for servers would allow owners to know when their servers are compromised. Because Skip 2.0 utilizes compromised servers, catching the compromise sooner could prevent this attack from happening.