MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers.
The attacker or the malware usually scans port 1433 to check for MS-SQL servers open to the public. It then performs brute forcing or dictionary attacks against the admin account, a.k.a. “sa” account to attempt logging in. Even if the MS-SQL server is not open to the public, there are types such as Lemon Duck malware that scans port 1433 and spreads for the purpose of lateral movement in the internal network.
Managing admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers. Other malware besides Lemon Duck that target MS-SQL server includes CoinMiner malware such as Kingminer and Vollgar.
If the attacker succeeds to log in to the admin account through these processes, they use various methods including the xp_cmdshell command to execute the command in the infected system. Cobalt Strike that has recently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process as shown below.
Cobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority of attacks including APT and ransomware. Malware that has recently been discovered is an injector that decodes the encoded Cobalt Strike inside, and executes and injects the normal program MSBuild.exe.
Cobalt Strike that is executed in MSBuild.exe has an additional settings option to bypass detection of security products, where it loads the normal dll wwanmm.dll, then writes and executes a beacon in the memory area of the dll. As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection.
Although it is not certain in which method the attacker dominated MS-SQL and installed the malware, as the detection logs of Vollgar malware that was previously mentioned were discovered, it can be assumed that the targeted system had inappropriately managed the account credentials.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.