HomeWinBuzzer NewsMicrosoft SQL Servers Hit with Cobalt Strike Attacks

Microsoft SQL Servers Hit with Cobalt Strike Attacks

Threat actors are targeting Microsoft SQL Servers with weak passwords to install Cobalt Strike backdoors for further attacks.

-

Security researchers have found new Cobalt Strike attacks targeting vulnerable SQL Servers. While the discoveries are beacons, they can lead to deeper penetration of servers and eventually deliver malware.

Microsoft SQL is one of the most popular database management systems and is used by major internet apps as well as millions of smaller services.

One problem is many of the deployments – especially smaller ones – do not have proper security and are protected with weak passwords. In a new report, Ahn Lab's ASEC says threat actors are now exploiting this vulnerability with Cobalt Strike.

Attackers will scan servers to find open TCP port 1433, which is one sign a MS-SQL server is public-facing. When an open port is found, the hackers conducts a brute-force and dictionary attacks to discover the password.

Cracking the password can only happen if the password is weak. If that happens, the attacker gains access to the SQL Server admin accounts. Amongst the attack uses ASEC has observed including coin miners and creating backdoors by using Cobalt Strike.

Backdoor

By installing Cobalt Strike through a command shell process, a beacon is placed in the legitimate Windows wwanmm.dll process. It remains hidden giving the attacker constant access when they need it.

“As the beacon that receives the attacker's command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” points out the report by Ahn Lab's ASEC group.

It is worth noting that Cobalt Strike is envisioned as an ethical hacking tool but has become used by cybercriminals too.

Typically, this attack is one that can be relatively easily prevented. All admins on MS-SQL need to do is create a strong password.

Tip: To protect your system against attacks that might render your SQL server unusable, using a solid backup solution is key. SQL Server Backup from BDRSuite is a cost-effective software that offers agentless image-level backups that can be stored online or offline and  which allows to restore an SQL server in less than 15 minutes.

SourceASEC
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News