{ "id": "727fb1b8-4236-4cb1-b663-d9c897bbe682", "created_at": "2026-04-06T00:15:30.433859Z", "updated_at": "2026-04-10T13:11:28.829534Z", "deleted_at": null, "sha1_hash": "c5c01cdb76544273a66422046c878f45da62c8e8", "title": "Vulnerable Microsoft SQL Servers targeted with Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2423249, "plain_text": "Vulnerable Microsoft SQL Servers targeted with Cobalt Strike\r\nBy Bill Toulas\r\nPublished: 2022-02-22 · Archived: 2026-04-05 12:55:21 UTC\r\nThreat analysts have observed a new wave of attacks installing Cobalt Strike beacons on vulnerable Microsoft SQL Servers,\r\nleading to deeper infiltration and subsequent malware infections.\r\nMS-SQL Server is a popular database management system powering large internet applications to small single-system\r\napplets.\r\nHowever, many of these deployments aren't adequately secured as they are publicly exposed to the Internet with weak\r\npasswords, and according to a report by Ahn Lab's ASEC, an unknown threat actor is taking advantage of this.\r\nhttps://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nTargeting MS-SQL with Cobalt Strike\r\nThe attacks start with threat actors scanning for servers with an open TCP port 1433, which are likely public-facing MS-SQL servers. The attacker then carries out brute-forcing and dictionary attacks to crack the password. For the attack to work\r\nwith either method, the target password has to be weak.\r\nOnce the attacker gains access to the admin account and logs into the server, the ASEC researchers have seen them drop\r\ncoin-miners such as Lemon Duck, KingMiner, and Vollgar. Additionally, the threat actor backdoors the server with Cobalt\r\nStrike to establish persistence and perform lateral movement.\r\nCobalt Strike is downloaded via a command shell process (cmd.exe and powershell.exe) onto the compromised MS-SQL\r\nand is injected and executed in MSBuild.exe to evade detection.\r\nProcesses that download Cobalt Strike (ASEC)\r\nAfter execution, a beacon is injected into the legitimate Windows wwanmm.dll process and waits for the attacker's\r\ncommands while staying hidden inside a system library file.\r\n\"As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious\r\nmemory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,\" explains the\r\nreport by Ahn Lab's ASEC group.\r\nCode and strings used for tainting the dll (ASEC)\r\nCobalt Strike is a commercial pen-testing (offensive security) tool that is extensively abused by cybercriminals who find its\r\npowerful features set particularly useful for their malicious operations.\r\nThe $3,500 per license tool was meant to help ethical hackers and red teams simulate real attacks against organizations that\r\nwant to boost their security stance, but from the moment cracked versions were leaked, its use by threat actors went out of\r\ncontrol.\r\nIt's now used by Squirrelwaffle, Emotet, malware operators, opportunistic attacks, Linux-targeting groups, sophisticated\r\nadversaries, and commonly by ransomware gangs when conducting attacks.\r\nThe reason why threat actors abuse it so much is its rich functionality which includes the following:\r\nCommand execution\r\nhttps://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/\r\nPage 3 of 4\n\nKeylogging\r\nFile operations\r\nSOCKS proxying\r\nPrivilege escalation\r\nMimikatz (credential-stealing)\r\nPort scanning\r\nMoreover, the Cobalt Strike agent called the \"beacon\" is file-less shellcode, so the chances of it being detected by security\r\ntools are decreased, especially in poorly managed systems.\r\nAhnLab's data shows that all the download URLs and C2 server URLs that supported the recent attack wave point to the\r\nsame attacker.\r\nTo protect your MS-SQL server from attacks of this type, use a strong admin password, place the server behind a firewall,\r\nlog everything and monitor suspicious actions, apply available security updates, and use a data access controller to inspect\r\nand enforce policies on every transaction.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/\r\nhttps://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/" ], "report_names": [ "vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434530, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5c01cdb76544273a66422046c878f45da62c8e8.pdf", "text": "https://archive.orkl.eu/c5c01cdb76544273a66422046c878f45da62c8e8.txt", "img": "https://archive.orkl.eu/c5c01cdb76544273a66422046c878f45da62c8e8.jpg" } }