Security researchers have found new Cobalt Strike attacks targeting vulnerable Microsoft SQL Servers. While the discoveries are beacons, they can lead to deeper penetration of servers and eventually deliver malware.
Microsoft SQL is one of the most popular database management systems and is used by major internet apps as well as millions of smaller services.
One problem is many of the deployments – especially smaller ones – do not have proper security and are protected with weak passwords. In a new report, Ahn Lab's ASEC says threat actors are now exploiting this vulnerability with Cobalt Strike.
Attackers will scan servers to find open TCP port 1433, which is one sign a MS-SQL server is public-facing. When an open port is found, the hackers conducts a brute-force and dictionary attacks to discover the password.
Cracking the password can only happen if the password is weak. If that happens, the attacker gains access to the SQL Server admin accounts. Amongst the attack uses ASEC has observed including coin miners and creating backdoors by using Cobalt Strike.
By installing Cobalt Strike through a command shell process, a beacon is placed in the legitimate Windows wwanmm.dll process. It remains hidden giving the attacker constant access when they need it.
“As the beacon that receives the attacker's command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” points out the report by Ahn Lab's ASEC group.
It is worth noting that Cobalt Strike is envisioned as an ethical hacking tool but has become used by cybercriminals too.
Typically, this attack is one that can be relatively easily prevented. All admins on MS-SQL need to do is create a strong password.
Tip: To protect your system against attacks that might render your SQL server unusable, using a solid backup solution is key. SQL Server Backup from BDRSuite is a cost-effective software that offers agentless image-level backups that can be stored online or offline and which allows to restore an SQL server in less than 15 minutes.