Threat Actors Deploy Database Client Tools on Targeted Systems to Exfiltrate Sensitive Data

Cybersecurity experts have noted an increase in data breaches where threat actors are directly querying internal databases to steal sensitive information.

Unlike traditional malware-based attacks, these adversaries are leveraging legitimate database client tools such as DBeaver, Navicat, and sqlcmd to exfiltrate data from targeted systems.

These tools, often used by legitimate administrators for database management, are being weaponized due to their ability to blend into normal system operations, making detection exceptionally challenging.

Traces of such activities are typically buried in system logs, local records of client tools, and SQL server execution logs, requiring meticulous forensic analysis to uncover breaches.

According to ASEC Report, the use of these tools also indicates that attackers have already acquired critical database access details like IP addresses, port numbers, and credentials, suggesting they are in advanced stages of information gathering and data theft.

Rising Trend of Database Breaches

Delving deeper into the mechanics of these attacks, tools like DBeaver (version 25.0.4), Navicat for Premium (version 17.2.5), and sqlcmd, a default Microsoft SQL Server utility classified as a Living off the Land Binary (LoLBin), have been identified in recent breach simulations on Windows and MS-SQL environments.

DBeaver, an open-source GUI-based tool, leaves traces in debug logs such as ‘dbeaver-debug.log’ located at C:UsersAppDataRoamingDBeaverData, which record data export activities including file names and timestamps.

Technical Insights into Tool Exploitation

Similarly, Navicat, despite being a commercial tool with a 14-day trial, can reveal export activities through profile files in Windows (.nexptmssql format) or logs like LogExport.txt in Linux environments.

Though these logs are often overwritten, complicating long-term tracking. sqlcmd, exploited for its command-line capabilities, enables database backups and queries with logs found in MS-SQL’s ERRORLOG and trc files, though certain activities like SELECT statement results lack direct logging, necessitating alternative traces like SRUM artifacts for network communication records.

Attack scenarios often involve remote desktop protocol (RDP) access or reverse tunneling, followed by tool installation and data extraction in formats like CSV or .bak files for external exfiltration.

The sophistication of these attacks lies in their mimicry of legitimate administrative behavior, rendering traditional anti-malware solutions ineffective.

Cybersecurity responders must analyze specific log paths and system traces to identify accessed data and assess leakage scope.

For organizations where such tools are non-essential, deploying behavior-based security solutions like Endpoint Detection and Response (EDR) can help monitor tool execution.

Additionally, implementing strict access controls on database management systems (DBMS), limiting user permissions, and restricting administrator access to specific IPs are critical preventive measures.

Equally important is avoiding poor credential management practices, such as sharing database connection details via email or storing them in unsecured files, which can facilitate massive data breaches.

Regular auditing of database logs and maintaining robust backup histories further fortify defenses against these stealthy, tool-based attacks that threaten sensitive data integrity across industries.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!