Vulnerable Microsoft SQL Servers targeted with Cobalt Strike

Danger analysts have noticed a new wave of attacks setting up Cobalt Strike beacons on vulnerable Microsoft SQL Servers, main to deeper infiltration and subsequent malware infections.

MS-SQL Server is a popular database administration procedure powering big world-wide-web applications to modest single-program applets.

On the other hand, many of these deployments aren’t adequately secured as they are publicly uncovered to the Internet with weak passwords, and according to a report by Ahn Lab’s ASEC, an not known menace actor is getting edge of this.

Focusing on MS-SQL with Cobalt Strike

The assaults start off with menace actors scanning for servers with an open TCP port 1433, which are very likely general public-struggling with MS-SQL servers. The attacker then carries out brute-forcing and dictionary assaults to crack the password. For the assault to do the job with both approach, the target password has to be weak.

When the attacker gains accessibility to the admin account and logs into the server, the ASEC researchers have noticed them fall coin-miners these as Lemon Duck, KingMiner, and Vollgar. Moreover, the risk actor backdoors the server with Cobalt Strike to establish persistence and complete lateral motion.

Cobalt Strike is downloaded by way of a command shell method (cmd.exe and powershell.exe) on to the compromised MS-SQL and is injected and executed in MSBuild.exe to evade detection.

Processes that download Cobalt Strike
Processes that download Cobalt Strike (ASEC)

Soon after execution, a beacon is injected into the respectable Windows wwanmm.dll process and waits for the attacker’s instructions when keeping concealed inside of a process library file.

“As the beacon that gets the attacker’s command and performs the destructive conduct does not exist in a suspicious memory area and in its place operates in the ordinary module wwanmm.dll, it can bypass memory-based detection,” describes the report by Ahn Lab’s ASEC team.

Code and strings used for tainting the dll
Code and strings utilized for tainting the dll (ASEC)

Cobalt Strike is a commercial pen-testing (offensive security) instrument that is extensively abused by cybercriminals who come across its powerful features established especially useful for their malicious operations.

The $3,500 per license device was intended to assist moral hackers and pink teams simulate authentic assaults against companies that want to raise their security stance, but from the minute cracked variations were being leaked, its use by menace actors went out of command.

It is really now used by Squirrelwaffle, Emotet, malware operators, opportunistic attacks, Linux-concentrating on teams, complex adversaries, and normally by ransomware gangs when conducting assaults.

The reason why danger actors abuse it so much is its wealthy features which features the subsequent:

  • Command execution
  • Keylogging
  • File functions
  • SOCKS proxying
  • Privilege escalation
  • Mimikatz (credential-stealing)
  • Port scanning

Moreover, the Cobalt Strike agent called the “beacon” is file-significantly less shellcode, so the likelihood of it being detected by security tools are lowered, in particular in poorly managed systems.

AhnLab’s info displays that all the obtain URLs and C2 server URLs that supported the the latest assault wave stage to the exact same attacker.

To guard your MS-SQL server from attacks of this form, use a sturdy admin password, location the server at the rear of a firewall, log all the things and observe suspicious actions, implement readily available safety updates, and use a details entry controller to inspect and implement guidelines on each transaction.