Winnti Group’s Skip‑2.0: A Microsoft SQL Server Backdoor


Winnti Group’s Skip‑2.0: A Microsoft SQL Server Backdoor (Oct 21, 2019)

ESET researchers tracking China-based Winnti Group have observed a previously unreported backdoor being used by the threat actors. Winnti Group, who have been active since 2012, are targeting Microsoft SQL (MSSQL) servers 11 and 12. The backdoor called “skip-2.0” allows the attacker to connect to any MSSQL account by using a magic password - and hiding connections from the logs. The backdoor means that the Winnti Group can copy, modify or delete information from the databases.

Recommendation: Databases should not be directly accessible over, or connected to the internet. Protect these services with authentication, do not allow guest or anonymous login. For web applications that are accessing database data, make sure all user-supplied data is sanitized to prevent SQL injections. Actors can use this information to coerce more personal data from the victim. Users should also monitor their credit in order to make sure that nothing out of the ordinary is happening and no identity fraud is being committed.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.