Hackers Distribute Cobalt Strike to Unpatched MS-SQL Server Instances


Hackers are attempting to deploy the Cobalt Strike adversary simulation tool to vulnerable Internet-facing Microsoft SQL (MS SQL) server instances in a new campaign to steal confidential information from compromised machines.

The warning comes from researchers at the AhnLab Security Emergency Response Center (ASEC) who say they have seen multiple Cobalt Strike logs over the past month.

Cobalt Strike is a commercial penetration testing platform that allows a tester to install a “Beacon” agent on a target machine, allowing remote access to the system.

It was developed as a security tool to emulate attacks on networks, but now a wide range of threat actors are using pirated versions of the software to find weaknesses in corporate networks to deliver secondary payloads, such as ransomware.

According to the researchers, attackers looking to hack MS-SQL Server typically scan port 1433 for publicly accessible instances. Then they attempt to login using brute force or dictionary attacks against the admin account.

Even if the MS-SQL server is not accessible, malware like LemonDuck can be used to scan port 1433 and allow lateral movement within the internal network. Threat actors also use CoinMiner malware such as Vollgar and Kingminer to target MS-SQL server.

“Newly discovered Cobalt Strike was downloaded via cmd.exe and powershell.exe via MS-SQL process,” the researchers said in a report released on Monday.

They discovered that the malware used by the threat actors is an injector that decodes the encrypted Cobalt Strike before executing and injecting the normal MSBuild.exe program.

Cobalt Strike, when run in MSBuild.exe, includes an additional parameter to bypass detection by security software, where it loads the standard dll wwanmm.dll, then writes and executes a beacon in the memory space of the dll.

The beacon that receives the attacker’s command and executes the malicious behavior can easily bypass memory-based detection because it does not reside in a suspicious memory area and instead runs in the standard wwanmm.dll module.

Over the past month, AhnLab’s ASD infrastructure has revealed a slew of Cobalt Strike logs, according to researchers, who believe most of the attacks were carried out by the same threat actor, given the fact that the Download URL and command and control server URL are similar.


About Author

Comments are closed.