Hackers attack Unpatched Microsoft SQL Database Servers with Cobalt Strike (24th February 2022)

Ref# AL2022_11 | Date: Feb 24th 2022


Cybercriminals are exploiting unsecured internet-facing Microsoft SQL Servers as part of a new operation to install the Cobalt Strike adversary simulation program on infected devices.


Threat actors use attack vectors including brute force and dictionary attacks on poorly maintained systems to load their payload “cobalt strike,” a penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the target machine. The attackers obtain remote access to compromised systems as a result of this type of assault. This was revealed in a report published on Monday, February 21st, 2022, by AhnLab Security Emergency Response Center, a South Korean cybersecurity organization.

How it works?

The threat actor checks port 1433 for vulnerable MS SQL servers in order to attempt a login via brute force or dictionary attacks on the system administrator”s account.

The next phase of the assault works by opening a Windows command shell via the MS SQL “sqlservr.exe” function to acquire the next-stage payload onto the system, which contains the encoded Cobalt Strike malware.

The virus then decrypts the Cobalt Strike payload before injecting it into the official Microsoft Build Engine (MSBuild) process, which has previously been exploited by criminal actors to deliver remote access trojans and password-stealing malware to Windows computers.

Additionally, the Cobalt Strike executable in MSBuild.exe has additional parameters to circumvent security program detection. It does so by loading the “wwanmm.dll” Windows library for WWan Media Manager, then writing and running the Beacon in the DLL”s memory space.

The researchers noticed that because the beacon that receives the attacker”s order and conducts the dangerous activity does not exist in a dubious memory area and instead functions in the normal module wwanmm.dll, it is able to avoid memory-based detection.


To circumvent this type of malware, users are advised to follow the steps below:

  1. Implement a strong password policy such as multifactor authentication where possible and account reset after a certain number of failed attempts.
  2. Implement Web Application Firewall – A web application firewall (WAF) can protect your system against brute force attacks. It usually sets a limit on how many requests a source can make to a URL space in a given amount of time. Aside from brute force assaults aimed at stealing session tokens, WAFs can also protect against denial-of-service (DOS) attacks that deplete server resources and block vulnerability scanning tools that monitor your computer network for flaws.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Hackers attack Unpatched Microsoft SQL Database Servers.pdf