Security News > 2022 > February > Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike

Vulnerable internet-facing Microsoft SQL Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts.

"Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers," South Korean cybersecurity company AhnLab Security Emergency Response Center said in a report published Monday.

Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named "Beacon" on the victim machine, granting the operator remote access to the system.

Intrusions observed by ASEC involve the unidentified actor scanning port 1433 to check for exposed MS SQL servers to perform brute force or dictionary attacks against the system administrator account, i.e., "Sa" account, to attempt a log in.

Upon successfully gaining a foothold, the next phase of the attack works by spawning a Windows command shell via the MS SQL "Sqlservr.exe" process to download the next-stage payload that houses the encoded Cobalt Strike binary on to the system.

The attacks ultimately culminate with the malware decoding the Cobalt Strike executable, followed by injecting it into the legitimate Microsoft Build Engine process, which has been previously abused by malicious actors to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems.

News URL

https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html