Targeted Attacks on Vulnerable Microsoft SQL Servers Uncovered
Recent cybersecurity reports indicate that threat actors are actively exploiting vulnerable internet-facing Microsoft SQL (MS SQL) Servers as part of a disturbing new campaign. This effort aims to install the Cobalt Strike adversary simulation tool on compromised systems, revealing serious implications for cybersecurity.
According to the AhnLab Security Emergency Response Center (ASEC) from South Korea, these attacks are primarily focused on unpatched MS SQL servers. Cybercriminals are employing methods such as brute-force and dictionary attacks against inadequately secured servers. This includes targeting systems with weak administrative credentials, specifically focusing on the often-compromised “sa” account, which serves as the system administrator.
The vulnerability does not rest solely with servers exposed to the internet. The actor behind the LemonDuck malware has demonstrated similar tactics, scanning for MS SQL servers to move laterally across networks. This highlights a broader issue: poorly managed server configurations can lead to serious vulnerabilities, making them prime targets for attackers.
When attackers successfully breach a victim’s system, they often execute further actions by spawning a Windows command shell through the “sqlservr.exe” process. This initial foothold allows them to download additional payloads that contain the Cobalt Strike binary. Ultimately, the malware hijacks legitimate processes, including Microsoft Build Engine (MSBuild), to evade detection.
The Cobalt Strike deployment is characterized by its sophisticated evasion techniques. For instance, it loads a Windows library, “wwanmm.dll,” and injects the Beacon agent into this memory space. By doing so, the malware can operate without raising alerts from memory-based detection systems, which typically flag anomalies in more suspicious areas of memory.
In terms of the MITRE ATT&CK framework, these attacks reflect several critical adversary tactics and techniques. Initial access is typically achieved through brute-force attempts (T1110), while persistence is established using processes like “sqlservr.exe” for command execution (T1059). Moreover, privilege escalation can occur during the credential stuffing phase, particularly when using common administrative passwords.
This series of attacks underscores the necessity for robust cybersecurity measures, including regularly updating and patching systems, implementing multi-factor authentication, and enforcing strong password policies. Protecting databases from threats requires vigilant oversight and proactive security practices, particularly as the sophistication of adversaries continues to evolve.
For business owners, the stakes are high. The increasing prevalence of such attacks serves as a reminder that cybersecurity cannot be neglected. As the digital landscape continues to shift, the vulnerabilities associated with poorly secured MS SQL Servers present real, actionable risks that organizations must address.
