Earlier this week, Microsoft SQL Server threat analysts detected suspicious activity happening on vulnerable Microsoft SQL servers.
According to cybersecurity researchers, hackers hacked the system by installing Cobalt Strike beacons. This will further infect the malware throughout the network.
Attackers Target Microsoft SQL Servers Using Cobalt Strike
According to cybersecurity researchers, hackers attacked the MS SQL Server by installing Cobalt Strike beacons.
In a news report from TechRadar on Thursday, February 24, experts noticed a series of attacks on MS SQL servers. Ahn Lab’s cybersecurity firm ASEC notes that there are threat actors behind these attacks.
To carry out the operation, the attackers will start by scanning the servers with TCP port 1433. Then the group will carry out successive attacks to break inside the system and crack the code. its.
The researchers continued that passwords should be weak or easy to guess. This is where the attack will depend. When the threat agent is deployed in the admin account, that’s when the hackers install Cobalt Strike to increase the malware spread in the server.
ASEC experts have also witnessed countless cases involving miners including Vollgar, Lemon Duck, and KingMinder.
As a paid penetration testing product as described by Tech Radar, Cobalt Strike is usually downloaded through a command shell process, especially via powershell.exe and cmd.exe.
For just $3,500, the malware team can use it to perform malicious activities. This could allow them to conduct simulations of a real attack to compromise a number of businesses and organizations.
Once injected into the Microsoft server, it will ignore detection in MSBuild.exe. From there, the execution is expected to succeed, and when that happens, the attackers inject the beacon into the warm.dull process.
While it remains hidden in the system library file, it will have to wait for the command to be executed by the attacker.
“Since the beacon that takes an attacker’s command and performs malicious behavior that doesn’t exist in a suspicious memory area and instead operates in the normal wwanmm.dll module, it may bypass detection based on memory,” Ahn Lab’s ASEC team wrote in its report.
Threats have taken advantage of Cobalt Strike for a number of reasons
Bleeping Computer noted in its report earlier this week that there are reasons for abusive attackers to use this product for their activities.
Escalation of privileges
Mimikatz (stealing credentials)
How to Stay Safe from Cobalt Strike Attacks
Since the common targets of exploits using this product are primary servers, it is best to strengthen your password for security protection. Try to enter a mixed code consisting of numbers and letters, as well as lowercase and uppercase characters.
According to the report, you should also refrain Microsoft SQL Server from using the usual “123” patterns when thinking of a strong password. You shouldn’t use your date of birth or name as a password because hackers can get access to your other information first.
This is not the first time Microsoft Corporation has been attacked by hackers using Cobalt Strike. In 2020, attackers deployed “FakeUpdates” malware to infect networks with malware.