Ubuntu 21.04 will be called Hirsute Hippo - and it arrives sooner than you might think
Trivia: This will be the third Ubuntu release with the letter H
Read More
Blog
- Home /
- Blog
Microsoft SQL servers hit by Cobalt Strike attacks
Security researchers have identified a new campaign installing Cobalt Strike beacons on poorly protected Microsoft SQL Servers.
Plenty of MS-SQL Server instances are exposed to the internet by carrying weak passwords, something many threat actors know how to abuse - and cybersecurity researchers from Ahn Lab’s ASEC have now found someone doing just that.Â
First, they scan the internet for endpoints with an open TCP port 1433. Then, they conduct brute-force attacks against those servers, trying out an infinite number of passwords until one sticks. The password needs to be relatively easy to guess, in order for the attack to work, the researchers added.Â
TechRadar needs you!
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Abusing legitimate software
Once the attackers are in, it’s just a matter of preference, what they install. Sometimes it’s cryptocurrency miners such as LemonDuck, KingMiner, or Vollgar, but most of the time, it’s Cobalt Strike.
Cobalt Strike is a paid penetration testing product, often abused by threat actors for nefarious purposes. It enables persistence, and lateral movement, throughout the target network. Threat actors can use it to execute commands, log keys, escalate privileges, scan for ports, and steal credentials. What’s more, its fileless shellcode reduces the chances of the instance being spotted by antivirus solutions.
"As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection," the researchers explain.
Read more
While the name of the attacker(s) remains a mystery, AhnLab did say that all of the download URLs, as well as the C2 server URLs, used in these recent attacks, point to the same threat actor.Â
The best way to remain secure is to keep a strong password, which includes a string of both uppercase and lowercase letters, numbers, as well as symbols. Avoid using numbers in sequence (123, 789), meaningful dates (birthdays, for example), or names that could be obtained through social engineering (street names, names of significant others, children, pets, etc.).
Strong passwords aside, users are also advised to keep the server behind a firewall, log everything, and keep both eyes out for suspicious actions. They should also make sure all of the software is frequently updated.
- Check out our list of the best firewalls today
Via: BleepingComputer
Date
23 Feb 2022Sources
Other Blog
-
-
Critical Veeam backup vulnerabilities exposed Windows users to ransomware assault
Read MoreTwo critical vulnerabilities has been discovered in Veeam backup solutions which may have put users at risk of a ransomware attack.
Veeam Backup & Replication was found to be vulnerable to CVE-2022-26500, and CVE-2022-26501 by Positive Technologies researcher Nikita Petrov, and although specific details were not disclosed, the flaws are thought to allow unauthenticated users access to internal API functions.
“A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code,” Positive's report said.
TechRadar needs you!We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Ransomware and denial of service
The researcher did say that the vulnerabilities could be leveraged to gain initial access and establish persistence on the target endpoint, install malware, steal data, or directly execute commands that extract, or delete data, mount denial of service attacks, or encrypt the infrastructure and run a ransomware attack.
In total, three versions of the tool were affected by the vulnerability: 9.5, 10, and 11. Patches are already available for the latter two, with users being urged to update immediately. Those that are unable to apply the patches right now, can temporarily stop or disable the Veeam Distribution Service to mitigate any potential risks.
Read moreThe same researcher discovered an additional vulnerability in Veeam Agent for Microsoft Windows, which is a data backup software for the Microsoft OS. Tracked as CVE-2022-26503, the flaw allows attackers to “execute arbitrary code on the node with maximum rights (Local Privilege Escalation) gaining access to the resources of the compromised node with maximum privileges.”
In other words, any data stored on a vulnerable endpoint can be stolen, or used to mount further attacks. Versions 2.0, 2.1, 2.2, 3.0.2, 4.0, and 5.0 of the product were affected, the company confirmed. Patches for versions 4.0 and 5.0 have been issued.
- Keep your data safe with the best cloud backup solutions right now
-
Cheaper computer memory is on the horizon thanks to this RAM breakthrough
IGZO-TFT technology will enable much higher density.
Read More -
WD Black SN850 SSD looks to steal the PCIe 4.0 limelight from Samsung’s 980 Pro
Western Digital has also launched a nifty NVMe SSD add-in board, and a game dock.
Read More
Find Out More About Us
Want to hire best people for your project? Look no further you came to the right place!