Microsoft SQL servers hit by Cobalt Strike attacks
Date:
Wed, 23 Feb 2022 22:15:50 +0000
Description:
Cobalt Strike attacks go after poorly-protected Microsoft SQL servers.
FULL STORY ======================================================================
Security researchers have identified a new campaign installing Cobalt Strike beacons on poorly protected Microsoft SQL Servers.
Plenty of MS-SQL Server instances are exposed to the internet by carrying
weak passwords, something many threat actors know how to abuse - and cybersecurity researchers from Ahn Labs ASEC have now found someone doing
just that.
First, they scan the internet for endpoints with an open TCP port 1433. Then, they conduct brute-force attacks against those servers , trying out an infinite number of passwords until one sticks. The password needs to be relatively easy to guess, in order for the attack to work, the researchers added. TechRadar needs you!
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Click here to start the survey in a new window << Abusing legitimate software
Once the attackers are in, its just a matter of preference, what they
install. Sometimes its cryptocurrency miners such as LemonDuck, KingMiner, or Vollgar, but most of the time, its Cobalt Strike.
Cobalt Strike is a paid penetration testing product, often abused by threat actors for nefarious purposes. It enables persistence, and lateral movement, throughout the target network. Threat actors can use it to execute commands, log keys, escalate privileges, scan for ports, and steal credentials. Whats more, its fileless shellcode reduces the chances of the instance being
spotted by antivirus solutions.
"As the beacon that receives the attackers command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection," the researchers explain. Read more
Patched Cobalt Strike vulnerabilities could have dealt a crippling blow to
malicious users
Linux systems are being bombarded with ransomware and cryptojacking
attacks
Log4Shell attacks are spreading fast after flaw exploited
While the name of the attacker(s) remains a mystery, AhnLab did say that all of the download URLs, as well as the C2 server URLs, used in these recent attacks, point to the same threat actor.
The best way to remain secure is to keep a strong password, which includes a string of both uppercase and lowercase letters, numbers, as well as symbols. Avoid using numbers in sequence (123, 789), meaningful dates (birthdays, for example), or names that could be obtained through social engineering (street names, names of significant others, children, pets, etc.).
Strong passwords aside, users are also advised to keep the server behind a firewall, log everything, and keep both eyes out for suspicious actions. They should also make sure all of the software is frequently updated. Check out
our list of the best firewalls today
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/microsoft-sql-servers-hit-by-cobalt-strike-atta cks/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)