Persistent Cyber Attacks on MS-SQL Servers: Unveiling the ICE Cloud Scanner Threat
In recent years, Microsoft SQL (MS-SQL) servers have become prime targets for cybercriminals, with a notable escalation in sophisticated attack campaigns. A particularly persistent threat actor, identified as Larva-26002, has been systematically compromising vulnerable MS-SQL servers to deploy a novel malware known as ICE Cloud Client. This campaign, active since at least January 2024 and continuing into 2026, underscores the evolving tactics of cyber adversaries and the critical need for robust database security measures.
Evolution of the Attack Campaign
The initial wave of attacks by Larva-26002 in early 2024 focused on deploying ransomware variants such as Trigona and Mimic. These attacks exploited MS-SQL servers exposed to the internet with weak credentials. The attackers utilized the Bulk Copy Program (BCP) utility—a legitimate MS-SQL tool—to inject malware directly onto compromised hosts. Additionally, tools like AnyDesk were installed to facilitate remote access, and port forwarders were set up to enable Remote Desktop Protocol (RDP) connections.
By 2025, the threat actor had enhanced their toolkit, incorporating Teramind, a remote monitoring and management (RMM) tool, and transitioning to a scanner written in Rust. This evolution indicated a shift towards more sophisticated and stealthy methods of compromising and controlling MS-SQL servers.
The Emergence of ICE Cloud Scanner
In 2026, analysts from AhnLab Security Emergency response Center (ASEC) identified a new phase in the attack campaign. Larva-26002 revisited previously compromised MS-SQL servers, this time deploying ICE Cloud Client—a scanner malware developed in the Go programming language. This marked a departure from the Rust-based scanner used in the prior year. Notably, the binary strings within ICE Cloud are written in Turkish, linking this campaign to the Mimic ransomware attacks from 2024. This pattern of repeated targeting suggests a deliberate, long-term strategy aimed at unpatched database servers.
Shift in Attack Objectives
A significant aspect of this campaign is the transition from ransomware deployment to large-scale scanning operations. By establishing a network of compromised servers that silently probe other databases for weak credentials, Larva-26002 appears to be laying the groundwork for more extensive future operations. The data collected from these scans is transmitted to the attacker’s command and control (C&C) server, providing a comprehensive map of exposed database assets across the internet.
Detailed Infection Mechanism
The attack sequence initiated by Larva-26002 involves several steps:
1. Initial Access: The attacker identifies an MS-SQL server exposed to the internet with poor password hygiene. Access is gained through brute force or dictionary attacks.
2. System Profiling: Upon successful login, the attacker executes system commands such as `hostname`, `whoami`, and `netstat -an` to gather information about the host environment.
3. Malware Deployment: The BCP utility is exploited to export a malicious binary from the database table `uGnzBdZbsi` to a local path as `api.exe`, guided by a formatting file named `FODsOZKgAU.txt`. This method has remained consistent since 2024. In instances where BCP fails, the malware is retrieved using Curl or Bitsadmin via PowerShell.
4. Execution of ICE Cloud Launcher: The `api.exe` file, referred to as ICE Cloud Launcher, connects to the C&C server for authentication and subsequently downloads the core scanner—ICE Cloud Client.
5. Scanner Deployment: ICE Cloud Client is saved under a random filename to masquerade as a legitimate program. The malware registers with the C&C server, which provides a list of MS-SQL addresses to target, along with credential pairs and task strings.
6. Credential Testing and Reporting: The scanner attempts to log in using the provided credentials and reports any successful access back to the C&C server.
Broader Context of MS-SQL Server Attacks
The targeting of MS-SQL servers is not an isolated phenomenon. Cybercriminals have increasingly focused on these servers due to their widespread use and the valuable data they manage. In September 2022, Kaspersky reported a 56% increase in attacks utilizing Microsoft SQL Server compared to the same period in the previous year. These attacks often involve brute-force attempts to gain access, followed by the deployment of various malware strains, including ransomware and cryptominers.
Furthermore, a campaign known as Vollgar, active since at least May 2018, has been infecting thousands of MS-SQL servers daily with remote access Trojans (RATs) and cryptominers. This campaign highlights the persistent and evolving nature of threats targeting database servers.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement comprehensive security measures:
– Strong Authentication: Enforce the use of complex, unique passwords for all accounts, especially those with administrative privileges.
– Network Segmentation: Limit exposure by restricting access to MS-SQL servers through Virtual Private Networks (VPNs) and by implementing strict firewall rules.
– Regular Patching: Keep all systems and applications up to date with the latest security patches to mitigate known vulnerabilities.
– Monitoring and Logging: Implement comprehensive logging and monitoring to detect unusual activities, such as multiple failed login attempts or unauthorized access patterns.
– Disable Unnecessary Features: Turn off features like `xp_cmdshell` that can be exploited by attackers to execute arbitrary commands on the server.
– Security Training: Educate staff on security best practices and the importance of maintaining strong credentials and recognizing phishing attempts.
Conclusion
The continuous and evolving attacks on MS-SQL servers by threat actors like Larva-26002 underscore the critical importance of robust security practices. As attackers refine their methods, shifting from ransomware to large-scale scanning operations, organizations must remain vigilant. Implementing comprehensive security measures, staying informed about emerging threats, and fostering a culture of cybersecurity awareness are essential steps in safeguarding valuable data assets against these persistent threats.
