Security News > 2022 > February > Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Threat analysts have observed a new wave of attacks installing Cobalt Strike beacons on vulnerable Microsoft SQL Servers, leading to deeper infiltration and subsequent malware infections.
The attacks start with threat actors scanning for servers with an open TCP port 1433, which are likely public-facing MS-SQL servers.
The attacker then carries out brute-forcing and dictionary attacks to crack the password.
Once the attacker gains access to the admin account and logs into the server, the ASEC researchers have seen them drop coin-miners such as Lemon Duck, KingMiner, and Vollgar.
It's now used by Squirrelwaffle, Emotet, malware operators, opportunistic attacks, Linux-targeting groups, sophisticated adversaries, and commonly by ransomware gangs when conducting attacks.
AhnLab's data shows that all the download URLs and C2 server URLs that supported the recent attack wave point to the same attacker.
News URL
Related news
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)