Security News > 2022 > February > Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Threat analysts have observed a new wave of attacks installing Cobalt Strike beacons on vulnerable Microsoft SQL Servers, leading to deeper infiltration and subsequent malware infections.
The attacks start with threat actors scanning for servers with an open TCP port 1433, which are likely public-facing MS-SQL servers.
The attacker then carries out brute-forcing and dictionary attacks to crack the password.
Once the attacker gains access to the admin account and logs into the server, the ASEC researchers have seen them drop coin-miners such as Lemon Duck, KingMiner, and Vollgar.
It's now used by Squirrelwaffle, Emotet, malware operators, opportunistic attacks, Linux-targeting groups, sophisticated adversaries, and commonly by ransomware gangs when conducting attacks.
AhnLab's data shows that all the download URLs and C2 server URLs that supported the recent attack wave point to the same attacker.
News URL
Related news
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)