Starting early in 2017, the honeypots I run in my lab began to receive a strangely large volume of inbound SQL connections from all over Asia, but mainly from China. Fortunately, I am recording the traffic of virtually everything that hits my dirty network, and discovered that the attacks appear to be automated, run at high volumes, and engage in a sophisticated and complex attempt to break into Microsoft SQL Server. In this presentation, I will provide a full walkthrough of the attack, detailing the methods in use and countermeasures you can employ to protect your server. I'll also provide historical and reputational context about the attackers' originating IP addresses and the other dirty stuff coming from those addresses. And let me tell you, it's pretty dirty.
Andrew Brandt is a network forensics and incident response nerd who loves running malware just to watch machines die. In his spare time he builds retro videogame platforms and rides mountain bikes, preferably in the dead of night. If you meet in person, talk to him about new music.