Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers

Cobalt Strike is being deployed on compromised internet-facing Microsoft SQL servers as part of a new campaign by threat actors, according to recently released research. MS SQL is a common target of attack for threat actors, as databases tend to hold sensitive information and credentials that the threat actor can use to further achieve their objectives.

The main compromise points threat actors use for internet-facing MS SQL servers are either exploiting an unpatched vulnerability within the MS SQL software or brute forcing the password for the “sa” account, which is the administrative account for MS SQL. Once the database software has been compromised, threat actors have been seen using the “xp_cmdshell” command to execute additional commands on the system. In this case, cmd.exe and powershell.exe were seen downloading a Cobalt Strike Beacon and injecting it into the normal Windows binary MSBuild.exe. Further injection is used by Cobalt Strike to inject its payload into the context of the WWanMM DLL, which is a normal Windows library used for the WWan Media Manager. From there, Cobalt Strike beacons out to its Command-and-Control (C2) server, awaiting commands from the threat actor.

While no post-exploitation activity was recorded, the threat actors likely use this initial compromise to gain a foothold on to the victim’s network, allowing them to move laterally within the environment to gain access to additional sensitive systems.

Analyst Notes

It is highly recommended to not expose sensitive applications like SQL databases to the Internet unless absolutely required. Databases are a prime target for threat actors and exposed devices allow them to more easily gain access to an environment or sensitive information of an organization. If Internet accessibility is required, proper security controls, such as firewalls or IPS devices, should be in place to help prevent vulnerability exploitation or brute forcing attacks. Likewise, credentials to access the database need to follow proper password security controls. This includes making sure the administrative password is long and complex to prevent brute forcing or dictionary attacks, as well as creating a periodic password rotation system to help prevent long running attacks. A proper patching cycle also needs to be implemented to prevent known vulnerabilities from being exploited against an application. The activity performed post-access can also be monitored for with the appropriate logging mechanisms in place. Abnormal process chains, network callouts, and injection techniques can be alerted upon to help make administrators aware of a potential infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.

Cobalt Strike Being Distributed to Unsecured MS-SQL Servers