Threat actors have targeted vulnerable internet-facing Microsft SQL (MS SQL) servers. The attacks entail planting the Cobalt Strike adversary simulation tool in the targeted systems.
“Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers,” South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published Monday.
Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Although billed as a red team threat simulation platform, cracked versions of the software have been actively used by a wide range of threat actors.
ASEC analysed intrusions which entail anonymous actor scanning port 1433 to find exposed MS SQL servers to carry out brute force or dictionary attacks on the system administrator account, i.e., “sa” account, for trying to log in.
That’s not to say that servers not left accessible over the internet aren’t vulnerable, what with the threat actor behind LemonDuck malware scanning the same port to laterally move across the network.
“Managing admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers,” the researchers said.
Once the attackers have gained a foothold, the next step entails initiating Windows command shell via the MS SQL “sqlservr.exe” for downloading the payload that has the encoded Cobalt Strike on the system.
The attacks lead up to the malware decoding the Cobalt Strike executable and then injecting the malware into the legitimate Microsoft Build Engine (MSBuild) process. Attackers have already exploited MSBuild to remotely grant remote access trojans and password-stealing malware on targeted systems.
Furthermore, the Cobalt Strike that’s executed in MSBuild.exe comes with additional configurations to evade detection of security software. It achieves this by loading “wwanmm.dll,” a Windows library for WWan Media Manager, then writing and running the Beacon in the memory area of the DLL.
“As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” the researchers noted.