Vulnerable web-facing Microsoft SQL Servers (MS SQL) are being targeted as part of an ongoing campaign by threat actors to use the Cobalt Strike adversary simulator tool to attack compromised hosts.
“Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers,” South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published Monday.
Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Cracked versions of this software, although marketed as a threat simulation platform for red teams, have been used actively by many threat actors.
Intrusions observed by ASEC involve the unidentified actor scanning port 1433 to check for exposed MS SQL servers to perform brute force or dictionary attacks against the system administrator account, i.e., “sa” account, to attempt a log in.
That’s not to say that servers not left accessible over the internet aren’t vulnerable, what with the threat actor behind LemonDuck malware scanning the same port to laterally move across the network.
” Managing administrator account credentials to make them vulnerable to dictionary attacks and brute forcing, as well as failing to update the credentials regularly may expose the MS-SQL Server to attack,” researchers stated.
Upon successfully gaining a foothold, the next phase of the attack works by spawning a Windows command shell via the MS SQL “sqlservr.exe” process to download the next-stage payload that houses the encoded Cobalt Strike binary on to the system.
The attacks ultimately culminate with the malware decoding the Cobalt Strike executable, followed by injecting it into the legitimate Microsoft Build Engine (MSBuild) process, which has been previously abused by malicious actors to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems.
Furthermore the Cobalt Strike executed in MSBuild.exe has additional configurations that can be used to avoid detection by security software. This is done by first loading “wwanmm.dll”, a Windows library that supports WWan Media Manager. Then, it writes and runs the Beacon within the DLL’s memory.
“The beacon that executes malicious behavior and receives an attacker’s command does not reside in suspicious memory areas and operates instead in the regular module wwanmm.dll. This allows it to bypass memory-based detection,” researchers pointed out.