A campaign has been found targeting internet-facing Microsoft SQL (MS SQL) servers that are left unpatched. The attackers are deploying Cobalt Strike beacons on targeted hosts.

A campaign targeting MS SQL Servers 

According to an ASEC report, the attackers are targeting poorly managed public-facing MS SQL servers and using them for further infection of the environment.
  • Intrusions involve scanning port 1433 to check for vulnerable MS SQL servers to carry out brute force or dictionary attacks against the system admin account to log in.
  • The next phase includes spawning a Windows command shell using the MS SQL process (sqlservr[.]exe) to download the next-stage payload, which includes encoded Cobalt Strike binary, on the system.
  • After gaining access to the admin account and logging into the server, the attackers drop coinminers such as Lemon Duck, KingMiner, and Vollgar

Evading detection

The attackers are using Cobalt Strike for persistence, lateral movement, and evading detection via security software.
  • Near the final phase of the attack, the malware decodes the Cobalt Strike executable. This is followed by injection into the genuine Microsoft Build Engine (MSBuild) process.
  • The evasion was achieved by loading a Windows library for WWan Media Manager (wwanmm[.]dll), and writing and executing the beacon inside the memory area of the DLL.
  • The beacon that receives the attacker's command and carries out malicious behavior does not reside in the suspicious memory area and instead works in a normal module wwanmm[.]dll. This way it can bypass memory-based detection mechanisms.

Conclusion

The recent attacks aimed at vulnerable MS SQL servers pose a serious security challenge. Moreover, an unpatched server is always a weak link inside a network. Stay updated with patches, it’s the best defense!
Cyware Publisher

Publisher

Cyware