Threat actors are constantly attacking MS-SQL servers to install ICE Cloud Scanner.

A persistent threat actor called Larva-26002 has been going after Microsoft SQL (MS-SQL) servers that aren't well managed This article explores ransomware ms sql. . This time, they used a new piece of malware called ICE Cloud Client.

The campaign has been going on since at least January 2024 and will last until 2026. The attacker gets better tools with each cycle. What began as a ransomware attack has now turned into a massive scan of database infrastructure that is open to attack. Learn more about vulnerability scanning services, network security appliances, and cyberattack analysis reports.

In January 2024, the group first made its mark by using Trigona and Mimic ransomware on MS-SQL servers that were connected to the internet and had weak passwords.

The attackers used the Bulk Copy Program (BCP), a real MS-SQL tool, to get malware onto compromised hosts and drop it there. To stop brute force access, database administrators should make all MS-SQL accounts have strong, hard-to-guess passwords and change them often. A firewall that only lets authorized connections through should protect any MS-SQL server that is connected to the internet.

It's also important to keep endpoint security software up to date so that known malware is stopped before it runs on the host. Administrators should keep an eye out for strange BCP activity, such as unexpected files like api.exe in C:\ProgramData\ or outbound connections that they don't recognize. Any of these signs could mean that the system has been compromised and needs to be looked into right away.

Set ZeroOwl as your preferred source in Google to get more instant updates on Facebook, LinkedIn, and X.