Hackers Target Microsoft SQL Database Servers Through Cobalt Strike

Vulnerable Microsoft SQL Servers targeted through Cobalt strike

VTA-00407 – Hackers Target Microsoft SQL Database Servers Through Cobalt Strike

ASEC analysis team has reported that vulnerable MS-SQL servers have been targeted by distribution of Cobalt Strike which includes attacks to an environment with unpatched vulnerability, brute forcing and dictionary attack. MS-SQL is a typical database server of the Windows environment.

The attackers start with checking if port 1422 for MS-SQL is open to public then brute force attack or dictionary attack will be started. The attackers target the admin account which is “sa” (=system administrator), for login. Once the attackers log into the admin accounts, they use various methods including the xp_cmdshell command to execute the command in the infected system.

Cobalt Strike is a commercial, full-featured penetration testing framework that allows attackers to deploy an agent on the victim machine and grant the operator remote access to the system. The researchers have discovered that the cobalt strike is downloaded through cmd.exe and powershell.exe via the MS-SQL process. Furthermore, the cobalt strike that is executed in MSBuild.exe comes with additional configurations to evade detection of security software by loading a normal DLL file.


Attack Surfaces:

Credential Access, Execution, Reconnaissance

Command and Scripting Interpreter, Brute Force, Search Open Technical Database

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Network Manipulation, Security Controls, System Activity Monitoring

SuperPRO’s Threat Countermeasures Procedures:
1) Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary
2) Disable the SA Login or Rename the SA Login.
3) If account cannot be disabled, please use Windows Authentication Mode and strong password for SA account.
4) Keep all systems with the latest security patches and updates
5) Ensure ‘CHECK_EXPIRATION’ Option is set to ‘ON’ for All SQL Authenticated Logins Within the Sysadmin Role
6) Ensure ‘CHECK_POLICY’ Option is set to ‘ON’ for All SQL Authenticated Logins
7) Ensure ‘Ole Automation Procedures’ Server Configuration Option is set to ‘0’
8) Password complexity must be configured
9) Admin lockout duration must be configured
10) Password expiry must be configured

Are your Endpoints secured? Scan your Endpoints now:
1. Register account on Open Threat Exchange (OTX).
2. Download the OTX Endpoint Security.
3. Subscribe to Provintell-Lab’s OTX pulses. 
4. Scan your endpoint for the presence of the IOCs. It’s FREE!

Contributed by: 3h4d0w

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>