MS-SQL Servers Under Persistent Threat by ICE Cloud Scanner

MS-SQL Servers Under Persistent Threat by ICE Cloud Scanner

Posted on By CWS

A sophisticated cyber threat actor, identified as Larva-26002, is relentlessly targeting inadequately secured Microsoft SQL (MS-SQL) servers. This time, they are deploying a novel malware known as ICE Cloud Client.

Ongoing Campaign and Evolution

Since January 2024, this campaign has persisted, evolving continually with each phase. Initially focused on ransomware attacks, the group has shifted towards extensive scanning of vulnerable database systems. The campaign has been active and adapting through 2026, consistently upgrading its tools.

In early 2024, Larva-26002 made its initial impact by deploying ransomware like Trigona and Mimic on MS-SQL servers with weak passwords. The attackers used the Bulk Copy Program (BCP), a legitimate MS-SQL feature, to transfer malware onto compromised systems.

Transition to Advanced Scanning Techniques

Alongside BCP, tools such as AnyDesk were installed to facilitate remote access, and port forwarding for RDP was enabled. By 2025, the group had incorporated Teramind, a remote monitoring tool, and transitioned to a Rust-based scanner.

In 2026, analysts identified a renewed attack wave where the same threat actor targeted previously compromised MS-SQL servers. This time, they employed ICE Cloud, a scanner malware written in Go, marking a shift from their 2025 Rust-based approach. The malware’s binary strings, written in Turkish, establish a connection to the 2024 Mimic ransomware attacks.

Implications and Prevention Measures

The campaign’s shift from ransomware to scanning poses significant concerns. By amassing compromised servers to probe for weak credentials, the attackers are potentially laying the groundwork for a larger operation. Data collected is sent to the attacker’s command and control (C&C) server, providing insight into exposed database assets globally.

The incursion begins when Larva-26002 identifies an exposed MS-SQL server with poor password protocols. After initial access through brute force or dictionary attacks, they execute system commands to assess the host and create malware using the BCP utility. This involves exporting a malicious binary to a local path, a tactic unchanged since 2024.

Defensive Strategies for Administrators

Database administrators need to ensure robust, complex passwords for all MS-SQL accounts, with regular updates to prevent unauthorized access. Servers exposed to the internet should be secured behind firewalls with restricted access. Maintaining updated endpoint security software is crucial to intercept known malware before it executes.

Monitoring for unusual BCP activity, unexpected files like api.exe in C:ProgramData, and unrecognized outbound connections can indicate potential compromises requiring immediate investigation.

Stay connected with us on Google News, LinkedIn, and X for the latest updates. Set CSN as a preferred source in Google for more insights.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

EtherRAT Malware Targets Windows via Trojanized Installer EtherRAT Malware Targets Windows via Trojanized Installer Cyber Security News
Microsoft Exchange Online to Deprecate SMTP AUTH Basic Authentication for Tenants Microsoft Exchange Online to Deprecate SMTP AUTH Basic Authentication for Tenants Cyber Security News
Hackers Exploit Cline’s npm Token for 8 Hours Hackers Exploit Cline’s npm Token for 8 Hours Cyber Security News
Auraboros RAT Unveiled: Live Surveillance and Data Theft Auraboros RAT Unveiled: Live Surveillance and Data Theft Cyber Security News
Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools Cyber Security News
Oracle WebLogic Vulnerability Exploited: CISA Issues Alert Oracle WebLogic Vulnerability Exploited: CISA Issues Alert Cyber Security News