A campaign has been found targeting internet-facing Microsoft SQL (MS SQL) servers that are left unpatched. The attackers are deploying Cobalt Strike beacons on targeted hosts.
A campaign targeting MS SQL Servers
According to an ASEC report, the attackers are targeting poorly managed public-facing MS SQL servers and using them for further infection of the environment.
Intrusions involve scanning port 1433 to check for vulnerable MS SQL servers to carry out brute force or dictionary attacks against the system admin account to log in.
The next phase includes spawning a Windows command shell using the MS SQL process (sqlservr[.]exe) to download the next-stage payload, which includes encoded Cobalt Strike binary, on the system.
After gaining access to the admin account and logging into the server, the attackers drop coinminers such as Lemon Duck, KingMiner, and Vollgar.
Evading detection
The attackers are using Cobalt Strike for persistence, lateral movement, and evading detection via security software.
Near the final phase of the attack, the malware decodes the Cobalt Strike executable. This is followed by injection into the genuine Microsoft Build Engine (MSBuild) process.
The evasion was achieved by loading a Windows library for WWan Media Manager (wwanmm[.]dll), and writing and executing the beacon inside the memory area of the DLL.
The beacon that receives the attacker's command and carries out malicious behavior does not reside in the suspicious memory area and instead works in a normal module wwanmm[.]dll. This way it can bypass memory-based detection mechanisms.
Conclusion
The recent attacks aimed at vulnerable MS SQL servers pose a serious security challenge. Moreover, an unpatched server is always a weak link inside a network. Stay updated with patches, it’s the best defense!