KingMiner Botnet Targeting SQL Servers for Cryptomining

KingMiner Botnet Launches Brute-Force Attacks against MSSQL Databases to Take over Servers and install Crypto Currency miners.

The gang of KingMiner group are targeting the the Server Administrator the Highest privileged account on MSSQL database. In a report; UK based Cybersecurity firm "Sophos" said that owners of MSSQL databases are advised to secure their servers.

If once the hackers break into the vulnerable MSSQL system, they create another database user named "dbhelp" and they install a cryptominer to generate profits for the gang.

KingMiner has been Active since late 2018:

Sophos says that this botnet operation goes by the name of "KingMiner", and the same gang that was previously documented in a report from cybersecurity form checkpoint in late 2018. This botnet was first seen in mid-june 2018. 

    

     While most of the malware botnets die out after a few weeks or moths of activity. The kingminer operation appears to have made enough of a profit for crooks to continue attacks even to this day.

The botnet's code also evolved as time went by showing that hackers invested in sharpening their attack tools and routines.

KingMiner shows that malware botnets continued to make a profit despite the up and down price of the XMR crypto currency. This profit has given hackers a reason to go after vulnerable systems, and specially after MSSQL databases, which have been some of the most targeted servers by crypto-mining botnets.

To prevent KingMiner's botnet attack, the easiest way is to secure a Server Administrator account with a strong password. The Server Administrator account is considered the account with the Highest privileges on a MSSQL system, and should be secured accordingly.