Threat actors are targeting weak internet-facing Microsoft SQL (MS SQL) Servers as part of a new effort to install the Cobalt Strike adversary simulation program on compromised hosts. In a recently-released report, South Korean cybersecurity firm AhnLab Security Emergency Response Center (ASEC) warned that attacks against MS SQL servers include brute-forcing, dictionary attacks against poorly managed servers, and cyberattacks in environments where the weakness hasn’t been addressed.
Cobalt Strike is a full-featured commercial penetration testing framework that lets an attacker install a “Beacon” agent on the target PC, giving the operator remote access to the system. Despite being marketed as a threat simulation tool for red teams, cracked copies of the program have been actively used by various threat actors.
ASEC has detected an unidentified actor scanning port 1433 for vulnerable MS SQL servers to try login using brute force or dictionary attacks against the system administrator account, i.e., “sa” account. That isn’t to suggest that servers not connected to the internet aren’t susceptible because the threat actor behind LemonDuck malware uses the same port to travel around the network laterally.
“Managing admin account credentials so that they’re vulnerable to brute-forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers,” as said by researchers.
The second step of the attack works by creating a Windows command shell using the MS SQL “sqlservr.exe” process to download the next-stage payload onto the system, including the encoded Cobalt Strike malware. The malware decodes the Cobalt Strike executable before injecting it into the official Microsoft Build Engine (MSBuild) process, which malicious actors have previously exploited to deliver fileless remote access trojans and password-stealing malware to aimed Windows systems.
Moreover, the Cobalt Strike executable in MSBuild.exe has extra parameters to avoid security software detection. This is accomplished by loading “wwanmm.dll,” a Windows library for WWan Media Manager, and then writing and executing the Beacon in the DLL’s memory space.