DecryptedTech DecryptedTech DecryptedTech DecryptedTech
Wednesday, 23 February 2022 07:55

Unpatched and Unprotected Microsoft SQL Servers Targeted for Cobalt Strike Injection

Written by
Unpatched and Unprotected Microsoft SQL Servers Targeted for Cobalt Strike Injection

Reading time is around minutes.

It seems that there are still some MS SQL servers that are not only exposed to the open internet but are also still using weak passwords. When this is combined with vulnerabilities and the lack of other security controls and monitoring, it allows threat actors to compromise them. This is the case in a recently observed campaign where the attackers are targeting exposed MS SQL servers and injecting Cobalt Strike.

Cobalt Strike was originally intended as a pentesting/red teaming tool, but was quick co-opted by attackers because, well because it is a pretty click tool. You can use Cobalt Strike to compromise credentials, log keystrokes, manipulate files, and a lot more. It is also resistant to detection because it is file-less shellcode. If an attacker can inject it properly, they can even evade most memory monitoring protections. Like I said, it is a slick tool.

In the case of the current attack, the group (who has not been identified yet) looks for exposed MS SQL servers via a port scan (1433 is the default SQL connection port). Once they have identified an exposed server, they begin working on compromising an admin account. If they can compromise the admin account on the exposed MS SQL, they move to the second phase. This typically involved the deployment of coin miners (MS SQL servers often are heavy on resources) and drop in their Cobalt Strike backdoor.

To get around traditional detection, Cobalt Strike is injected into MSBuild.exe for the initial deployment. To remain hidden the beacon is injected into a legitimate Windows DLL (usually wwanmm.dll). This puts the beacon into a legitimate memory space, so it does not raise suspicion for most memory-based malware detection systems.

Protecting against this type of attack is fairly simple, do not expose the MS SQL server to the internet in the first place, use complex passwords, and keep your SQL Server up to date. Outside of these simple steps you should also invest in a math-based antimalware solution that can not only identify malware, but also look for unusual behaviors like process injection and file-less pivots. Ensuring proper process and transaction monitoring on any MS SQL server is also a critical step to securing your data. MS SQL servers are well known targets for attackers, they also tend to be business critical systems, so operations teams do not want to mess with them. This mind-set needs to change as having a few hours of downtime to patch, replace weak passwords, and/or install antimalware and process monitoring agents is much better than a compromised system or organization.

Read 1231 times
Published in Security Talk
Tagged under
Sean Kalinich

Latest from Sean Kalinich

Related items

More in this category: « noVNC Used by Clever Pentester to get Around MFA During Spearphishing Attack Vulnerabilities, Phishing, and More allow Attackers to Compromise web3 services including OpenSea and Steal $1.7 Million in virtual assets »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Follow Us

  • Follow Us

    Follow DecryptedTech on Social Media

    facebook twitter linkedin