Microsoft SQL is one of the most popular database management systems and is used by major internet apps as well as millions of smaller services. One problem is many of the deployments – especially smaller ones – do not have proper security and are protected with weak passwords. In a new report, Ahn Lab’s ASEC says threat actors are now exploiting this vulnerability with Cobalt Strike. Attackers will scan servers to find open TCP port 1433, which is one sign a MS-SQL server is public-facing. When an open port is found, the hackers conducts a brute-force and dictionary attacks to discover the password. Cracking the password can only happen if the password is weak. If that happens, the attacker gains access to the SQL Server admin accounts. Amongst the attack uses ASEC has observed including coin miners and creating backdoors by using Cobalt Strike.

Backdoor

By installing Cobalt Strike through a command shell process, a beacon is placed in the legitimate Windows wwanmm.dll process. It remains hidden giving the attacker constant access when they need it. “As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” points out the report by Ahn Lab’s ASEC group. It is worth noting that Cobalt Strike is envisioned as an ethical hacking tool but has become used by cybercriminals too. Typically, this attack is one that can be relatively easily prevented. All admins on MS-SQL need to do is create a strong password. Tip of the day: The Windows Clipboard history feature provides the functionality across device, space, and time, letting you copy on one computer and paste the text days later on a different PC. All of it is possible via the Windows 10 clipboard manager, which lets you view, delete, pin, and clear clipboard history at will. In our tutorial we show you how to enable the feature, clear clipboard history, and enable/disable clipboard sync to meet your preferences. You can also create a clear clipboard shortcut for quick removal of stored content.

Microsoft SQL Servers Hit with Cobalt Strike Attacks - 41Microsoft SQL Servers Hit with Cobalt Strike Attacks - 71Microsoft SQL Servers Hit with Cobalt Strike Attacks - 78Microsoft SQL Servers Hit with Cobalt Strike Attacks - 54Microsoft SQL Servers Hit with Cobalt Strike Attacks - 99