A new attack has been identified that installs the Cobalt Strike beacon on vulnerable Microsoft SQL servers, leading to further malware infections. https://asec.ahnlab.com/en/31811/
MS-SQL server is a typical database server in Windows environment and has been a consistent target of attacks in the past. Attacks on MS-SQL servers include unpatched environment attacks, brute force, and dictionary attacks against poorly managed servers.
MS-SQL Server is a widely used database management system for both large Internet applications and small single systems.
Many of these deployments are exposed to the Internet with weak passwords, so they are not sufficiently secure, and attackers are taking advantage of this, according to Ahn Lab’s ASEC report.
Targeting MS-SQL with Cobalt Strike
The attacker is scanning for servers with TCP port 1433 open, but we believe this one is targeting public MS-SQL servers.
The attacker then conducts brute force and dictionary attacks to crack the password. Both methods require that the passwords under attack be vulnerable.
ASEC researchers have confirmed that coin miners such as Lemon Duck, KingMiner, and Vollgar are dropped when an attacker accesses the admin account and logs into the server.
In addition, attackers can backdoor servers with Cobalt Strike to establish access persistence and perform lateral network deployment.
Cobalt Strike is downloaded into infected MS-SQL via command shell processes (cmd.exe and powershell.exe) and injected into MSBuild.exe for execution in order to evade detection.
After execution, the beacon is injected into the legitimate Windows wwanmm.dll process and remains latent in the system library files, waiting for the attacker’s commands.
The beacon, which receives the attacker’s commands and performs malicious actions, does not reside in the memory area, but runs in the normal module wwanmm.dll, which seems to bypass memory-based detection.
Cobalt Strike is a commercial pentesting (offensive security) tool that has been extensively exploited by cybercriminals who find its powerful features particularly useful for malicious operations.
The tool, which costs $3,500 per license, was intended to help white hackers and red teams simulate real attacks against organizations looking to beef up their security posture, but from the moment the cracked version was leaked, its use by threat actors spiraled out of control.
It is now used by Squirrelwaffle, Emotet, malware operators, groups targeting Linux, and ransomware groups to carry out attacks.
The reason why threat actors are so abused is due to the following rich features.
- Command execution
- Keylogging
- File manipulation
- SOCKS proxy
- Privilege escalation
- mimikatz (stealing credentials)
- Port scanning
The Cobalt Strike agent, also known as a “beacon”, is fileless shell code, making it less likely to be detected by security tools, especially on poorly managed systems.
To protect your MS-SQL server from this kind of attack, use a strong administrator password, put the server behind a firewall, record everything and monitor suspicious activity. Apply any available security updates and use a data access controller to inspect all transactions and enforce policies.
Comments