Cybersecurity experts have uncovered a sophisticated campaign targeting enterprise web applications through the abuse of legitimate penetration testing tools.
Threat actors are increasingly leveraging professional security tools including Cobalt Strike, SQLMap, and other reconnaissance utilities to compromise corporate networks with alarming effectiveness.
The attacks typically begin with vulnerable web application components and escalate to full network access, allowing attackers to steal sensitive data and deploy ransomware payloads.
.png
)
These attacks specifically utilize Cobalt Strike, a legitimate adversary simulation tool designed for security professionals, and SQLMap, an open-source utility that automates the detection and exploitation of SQL injection vulnerabilities.
The combination of these tools creates a potent arsenal for attackers seeking to breach organizational defenses through their web-facing applications.
Hunt.io analysts identified this emerging threat pattern after investigating multiple incidents across financial and healthcare sectors.
Their research shows attackers are specifically targeting outdated web applications with known vulnerabilities that organizations have failed to patch.
The researchers traced several recent breaches to initial SQL injection attacks that later incorporated Cobalt Strike beacons for persistent access.
The attackers typically begin by scanning for vulnerable web endpoints using automated tools, focusing particularly on legacy applications that may have escaped regular security updates.
Once a vulnerable target is identified, they deploy SQL injection attacks against database-connected applications to extract authentication credentials and other sensitive information.
The breach typically progresses from initial reconnaissance to exploitation using techniques that blend into normal administrative traffic.
In many cases, attackers leverage legitimate credentials harvested during the initial access phase.
Attack Analysis
The SQL injection payloads observed in these attacks utilize both error-based and time-based blind techniques.
A common pattern seen across multiple victims involves the use of queries similar to: ' UNION SELECT @@version, user(), database(), sleep(5) -- - which both extracts database information and validates successful injection points.
The attackers then typically move to more sophisticated queries that extract user table information.
.webp)
Following successful SQL injection, attackers deploy web shells with PHP code like the following to establish control:-
<?php system($_REQUEST['cmd']); ?>This minimal code allows execution of arbitrary commands through HTTP requests with the cmd parameter.
From there, attackers typically download Cobalt Strike beacons configured to communicate with command and control servers through encrypted channels using domain fronting techniques to evade detection.
.webp)
Security teams are advised to implement web application firewalls, conduct regular vulnerability scanning, and maintain rigorous patch management procedures to defend against these increasingly sophisticated attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
