DecryptedTech

Friday19 August 2022

Unpatched and Unprotected Microsoft SQL Servers Targeted for Cobalt Strike Injection


Reading time is around minutes.

It seems that there are still some MS SQL servers that are not only exposed to the open internet but are also still using weak passwords. When this is combined with vulnerabilities and the lack of other security controls and monitoring, it allows threat actors to compromise them. This is the case in a recently observed campaign where the attackers are targeting exposed MS SQL servers and injecting Cobalt Strike.

Cobalt Strike was originally intended as a pentesting/red teaming tool, but was quick co-opted by attackers because, well because it is a pretty click tool. You can use Cobalt Strike to compromise credentials, log keystrokes, manipulate files, and a lot more. It is also resistant to detection because it is file-less shellcode. If an attacker can inject it properly, they can even evade most memory monitoring protections. Like I said, it is a slick tool.

In the case of the current attack, the group (who has not been identified yet) looks for exposed MS SQL servers via a port scan (1433 is the default SQL connection port). Once they have identified an exposed server, they begin working on compromising an admin account. If they can compromise the admin account on the exposed MS SQL, they move to the second phase. This typically involved the deployment of coin miners (MS SQL servers often are heavy on resources) and drop in their Cobalt Strike backdoor.

To get around traditional detection, Cobalt Strike is injected into MSBuild.exe for the initial deployment. To remain hidden the beacon is injected into a legitimate Windows DLL (usually wwanmm.dll). This puts the beacon into a legitimate memory space, so it does not raise suspicion for most memory-based malware detection systems.

Protecting against this type of attack is fairly simple, do not expose the MS SQL server to the internet in the first place, use complex passwords, and keep your SQL Server up to date. Outside of these simple steps you should also invest in a math-based antimalware solution that can not only identify malware, but also look for unusual behaviors like process injection and file-less pivots. Ensuring proper process and transaction monitoring on any MS SQL server is also a critical step to securing your data. MS SQL servers are well known targets for attackers, they also tend to be business critical systems, so operations teams do not want to mess with them. This mind-set needs to change as having a few hours of downtime to patch, replace weak passwords, and/or install antimalware and process monitoring agents is much better than a compromised system or organization.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.