Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike

Vulnerable Internet-facing Microsoft SQL (MS SQL) servers are being targeted by threat actors in a new campaign to deploy adversary simulation tool Cobalt Strike on compromised hosts.

“Attacks that target MS SQL servers include attacks against the environment where its vulnerability has not been patched, brute forcing and dictionary attack against poorly managed servers,” the South Korean security firm said. cybersecurity AhnLab Security Emergency Response Center (ASEC) in a report released on Monday. .

Automatic GitHub backups

Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Although billed as a red team threat simulation platform, pirated versions of the software have been actively used by a wide range of threat actors.

The intrusions observed by ASEC involve the unidentified actor scanning port 1433 to search for exposed MS SQL servers in order to perform brute force or dictionary attacks against the system administrator account, i.e. – say the account “sa”, to try to connect.

Microsoft SQL database servers

That’s not to say servers not accessible on the Internet aren’t vulnerable, with the threat actor behind the LemonDuck malware scanning the same port to move laterally across the network.

“Managing administrator account credentials so that they are vulnerable to brute-force and dictionary attacks as above or not periodically changing credentials can make MS-SQL server the primary target of attackers,” the researchers said.

After successfully gaining a foothold, the next stage of the attack works by spawning a Windows command shell through the MS SQL “sqlservr.exe” process to download the next stage payload which hosts the Cobalt Strike encoded binary on the system.

Prevent data breaches

The attacks ultimately result in the malware decoding the Cobalt Strike executable, followed by its injection into the legitimate Microsoft Build Engine (MSBuild) process, which has already been abused by malicious actors to distribute fileless Trojans. remote access and password-stealing malware on targeted Windows. systems.

Additionally, the Cobalt Strike that runs in MSBuild.exe comes with additional configurations to evade detection by security software. It achieves this by loading “wwanmm.dll”, a Windows library for WWan Media Manager, then writing and executing the tag in the DLL’s memory area.

“As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal wwanmm.dll module, it can bypass memory-based detection” , the researchers noted.