Vulnerable Internet-facing Microsoft SQL (MS SQL) servers are being targeted by threat actors in a new campaign to deploy adversary simulation tool Cobalt Strike on compromised hosts.
“Attacks that target MS SQL servers include attacks on the environment where its vulnerability has not been patched, brute forcing and dictionary attack against mismanaged servers,” South Korean cybersecurity firm AhnLab Security Emergency Response Center (ASEC) noted in a report released Monday.
Cobalt Strike is a complete business application penetration testing framework which allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Although billed as a red team threat simulation platform, pirated versions of the software have been actively used by a wide range of threat actors.
The intrusions observed by ASEC involve the unidentified actor scanning port 1433 to search for exposed MS SQL servers in order to perform brute force or dictionary attacks against the system administrator account, i.e. -to say, “his” accountto attempt a connection.
That’s not to say servers not accessible on the Internet aren’t vulnerable, with the threat actor behind the LemonDuck malware scanning the same port to move laterally across the network.
“Managing administrator account credentials so that they are vulnerable to brute-force and dictionary attacks as above or not periodically changing credentials can make MS-SQL server the primary target of attackers,” the researchers said.
After successfully gaining a foothold, the next phase of the attack works by spawning a Windows command shell via MS SQL”sqlservr.exeto download the next step payload that hosts the Cobalt Strike encoded binary on the system.
The attacks ultimately result in the malware decoding the Cobalt Strike executable, followed by its injection into Microsoft’s legitimate build engine (MSBuild), which has already been abused by malicious actors to filelessly distribute remote access Trojans and password-stealing malware to targeted Windows systems.
Additionally, the Cobalt Strike that runs in MSBuild.exe comes with additional configurations to evade detection by security software. It achieves this by loading “wwanmm.dll”, a Windows library for WWan Media Manager, then writing and executing the tag in the DLL’s memory area.
“As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal wwanmm.dll module, it can bypass memory-based detection” , the researchers noted.