Vulnerable MS-SQL Servers

A new wave of attacks on vulnerable MS-SQL Servers (Microsoft SQL) has been discovered by the cybersecurity analysts of the ASEC analysis team at AhnLab.

In these attacks, the hackers are installing the Cobalt Strike beacons on the compromised system of their victim to penetrate deeper into the victim’s network.

With open TCP port 1433, the attacks begin, and here the open TCP port 1433 implies to be MS-SQL servers. Once the attack is executed, the attacker performs a brute-force attack to crack the admin password.

Attacks Performed

In this new wave of attacks, the hackers perform two key attacks to accomplish their goal, and here they are mentioned below:-

  • Brute force attack.
  • Dictionary attack.

Miners Used

After acquiring access to the admin account and penetrating the server, the hackers deploy several crypto miners, and here they are:-

  • Lemon Duck
  • KingMiner
  • Vollgar

While later to gain a foothold in the compromised system of their victim and laterally move into the network, the attackers using the Cobalt Strike also create a backdoor.

The Cobalt Strike beacons are mainly loaded through:-

  • cmd.exe
  • powershell.exe

And once they are loaded after that, they get embedded and executed in MSBuild.exe to avoid any type of detection.

In a later stage, the beacons are embedded in the legitimate wwanmm.dll process to remain hidden inside the system file and wait for further commands from its operators.


Apart from this, the cybersecurity researchers have recommended a few security recommendations to mitigate such attacks, and here we have mentioned them below:-

  • Always use strong and complex passwords.
  • Don’t use any used password.
  • Always place server behind a firewall.
  • Always monitor the logs for any suspicious activity.
  • Always keep your system and software updated with the latest updates.
  • Use robust security tools.
  • Always install the available security updates on time.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.