Earlier this week, threat analysts discovered a suspicious activity that was happening on vulnerable Microsoft SQL servers.
According to cybersecurity researchers, the hackers attacked the systems by installing Cobalt Strike beacons. This would further spread malware infection across the network.
Microsoft SQL Servers Hit By Cobalt Strike Attackers
In a news report from TechRadar on Thursday, Feb. 24, experts noticed a series of attacks on the MS SQL server. Cybersecurity firm Ahn Lab's ASEC noted that there were threat actors behind these attacks.
To carry out the operations, the attackers will start by scanning the servers with TCP port 1433. After that, the group will launch successive attacks to break inside the system and crack its code.
The researchers continued that the password should be weak or easy to guess. This is where the attack will depend. When the threat actor was deployed in the admin account, that's the time that the hackers installed Cobalt Strike to intensify the malware spread in the servers.
The ASEC experts also witnessed a myriad of cases involving coin miners including Vollgar, Lemon Duck, and KingMinder.
As a paid penetration testing product as described by Tech Radar, Cobalt Strike is often downloaded through the command shell process, particularly via powershell.exe and cmd.exe.
For just $3,500, the malware group could utilize it to pull off malicious activities. This could allow them to conduct real attack-simulation to compromise several businesses and organizations.
Once injected into the Microsoft server, it would bypass the detection in MSBuild.exe. From there, the execution is expected to succeed and when that happens, the attackers will now inject the beacon into the wwanmm.dlll process.
While remaining inconspicuous in the system library file, it will have to wait for the command to be executed by the attacker.
"As the beacon that receives the attacker's command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection," Ahn Lab's ASEC group wrote in its report.
Related Article: Powershell Ransomware: Unpatched Microsoft Exchange Email Servers Become the Latest Victims of the Attack
The Reasons Behind Why Threat Actors Took Advantage of Cobalt Strike
Bleeping Computer noted on its report earlier this week that there are reasons why attackers abused using this product for their operations.
Command execution
Keylogging
File operations
SOCKS proxying
Privilege escalation
Mimikatz (credential-stealing)
Port scanning
How to Remain Secure Against Cobalt Strike Attacks
Since the common targets of exploitation using this product are weak servers, it's best to strengthen passwords for security protection. Try to input a mixed code of numbers and letters, as well as lowercase and uppercase characters.
According to the report, you should also refrain from using the usual "123" patterns when thinking of a powerful password. You should not use your birthday or name as a passcode since hackers can gain access to your other information beforehand.
This was not the first time that the Microsoft group was hit by hackers who used Cobalt Strike. In 2020, the attackers deployed "FakeUpdates" malware to infect the networks with malware.
Read Also: China-Backed Hackers Could Be Exploiting Log4j Security Flaw, According to Cybersecurity Analysts
This article is owned by Tech Times
Written by Joseph Henry