Analysts of AhnLab Security Emergency have found a new wave of attacks that targets Microsoft SQL Servers. The attackers use an interesting way to exploit the systems; placing a beacon of Cobalt Strike penetration test tool. Cobalt Strike is a $3,500 software that is used for detecting security flaws and enhancing the systems’ security by ethical hackers. However, the malicious actors found a way to crack to use it for non-ethical hacking actions.
Weak password is the key
The attackers are seeking servers with an open 1433 TCP port, which is most likely to be used for the Microsoft SQL Server. As they find one, they try to crack the password with brute-force and dictionary attacks. Weak password is the key here since those steps are only passable if the password on the target machine is weak. Then, they log into the server with the admin account.
Attackers currently tend to install cryptocurrency mining tools such as Vollgar, KingMiner, and Lemon Duck. They also leave a backdoor with Cobalt Strike software for easy access in the future. The software is installed via command shell, then executed in MSBuild to avoid detection.
As the execution is complete, the software injects a beacon into the wwanmm.dll file. This file is a legitimate Windows file, WWAN Media Manager, but serves its master for further commands as the injection is done.