Over the last few weeks or so, industry experts and analysts have been seeing an increase in attacks on Microsoft SQL servers where Cobalt Strike beacons have been installed.
Threat actors are reportedly scanning vulnerable servers that have an open TCP port 1433, which is the default port that Microsoft SQL Server uses for all database connections. It represents a security risk because the default port may not be changed by IT support, which attackers are aware of - so they’ve started using it as a way of accessing SQL Server.
From there, they can then carry out dictionary attacks (a brute-force technique where common words and phrases are run through systematically) to work out the password. In order for these attacks to be successful, the password in question has to be weak.
But what exactly is Cobalt Strike and why is it suddenly hitting the headlines?
Ironically enough, Cobalt Strike was first developed as a penetration testing tool for ethical hackers to use to test for vulnerabilities and weak areas in websites to help make them more secure.
But, as with many other cyber security resources of this kind, it has fallen into the wrong hands and hackers are now using it for nefarious purposes - so it certainly pays to be aware of it and the risks it poses to your business.
Cobalt Strike is threat emulation software that is able to identify known vulnerabilities in the programmes being used, as well as providing social engineering attacks, allowing for group hosts to share information with hackers in real time, and using Beacon, which is a dropper that deploys PowerShell scripts, takes screenshots, makes a note of keystrokes and downloads actual files.
Recent research from Sophos revealed that Cobalt Strike use is so prevalent across so many different stages of an attack that it’s now become one of the most valuable indicators of malicious activity… so a great area of focus for businesses now and well into the future.
For advice relating to SQL server monitoring software, get in touch with MiniDBA today.