The best way to remain secure is to keep a strong password, which includes a string of both uppercase and lowercase letters, numbers, as well as symbols.
While the name of the attacker(s) remains a mystery, AhnLab did say that all of the download URLs, as well as the C2 server URLs, used in these recent attacks, point to the same threat actor. “As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” the researchers explain. What’s more, its fileless shellcode reduces the chances of the instance being spotted by antivirus solutions. Threat actors can use it to execute commands, log keys, escalate privileges, scan for ports, and steal credentials. It enables persistence, and lateral movement, throughout the target network. Sometimes it’s cryptocurrency miners such as LemonDuck, KingMiner, or Vollgar, but most of the time, it’s Cobalt Strike.Ĭobalt Strike is a paid penetration testing product, often abused by threat actors for nefarious purposes. Once the attackers are in, it’s just a matter of preference, what they install.
The password needs to be relatively easy to guess, in order for the attack to work, the researchers added. Then, they conduct brute-force attacks against those servers, trying out an infinite number of passwords until one sticks.
Customize cobalt strike beacon how to#
Plenty of MS-SQL Server instances are exposed to the internet by carrying weak passwords, something many threat actors know how to abuse – and cybersecurity researchers from Ahn Lab’s ASEC have now found someone doing just that.įirst, they scan the internet for endpoints with an open TCP port 1433. Security researchers have identified a new campaign installing Cobalt Strike beacons on poorly protected Microsoft SQL Servers.
0 kommentar(er)
