Rewterz Threat Alert – Microsoft’s SQL Servers Targeted – Active IOCs

Severity

High

Analysis Summary

MS-SQL servers are vulnerable to a attack where Cobalt Strike is distributed through vulnerable servers. 

“If the attacker succeeds to log in to the admin account through these processes, they use various methods including the xp_cmdshell command to execute the command in the infected system. Cobalt Strike that has recently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process as shown below.”

Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. Cobalt Strike 3.0 was released in 2015 as a stand-alone opponent emulation platform. However, researchers began observing threat actors using Cobalt Strike by 2016. Cobalt Strike’s use in hostile activities was previously connected with huge cybercriminal operations like TA3546 and APT40.  Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks. 

Cobalt Strike allows the attacker to install a Beacon agent on the victim’s PC, which gives them access to a variety of tools, including command execution, file transfer,  keylogging, mimikatz, port scanning, and privilege escalation. Cobalt Strike includes a toolkit called Artifact Kit that is used to create shellcode loaders.

Impact

• Information Theft
• Exfiltration Of Data

Indicators of Compromise

Filename

• COVID 19 LETTER[.]xls
• Covid Test Results[.]xls
• COVID-19-07[.]02[.]22[.]xls
• 401K COVID-19 Options[.]xls
• COVID results[.]xls

MD5

• ae7026b787b21d06cc1660e4c1e9e423
• e9c6c2b94fc83f24effc76bf84274039
• 828354049be45356f37b34cc5754fcaa
• 894eaa0bfcfcdb1922be075515c703a3
• 4dd257d56397ec76932c7dbbc1961317
• 450f7a402cff2d892a7a8c626cef44c6
• 2c373c58caaaca0708fdb6e2b477feb2
• bb7adc89759c478fb88a3833f52f07cf

SHA-256

• 3941ea5a78ec9965bf466cc7c75adf2b898cdfff895f7bbc35bbbc99cf556db0
• 497d09f6c3c196363146db34bee6deaa5fc02fea4bef8803ae0c928916954d99
• a7cbeeba9fd5f17a1e5be18ea55db5727fe1c7f69471f7b28dae1887900d763b
• 0d032d82dec12b4c35e2724d09ef23f517ee839efd673b26a28cec732ddce343
• abce33edfa88dfe933813aa249d9faaa0ee890100111d42a1bc9a01719821051
• d6a1fddbde5dc3a875d1f31fd0bbd77d0e3d4307724f298015923a5763cbfe3f
• a13bbc18f170465ff99b532ceb4a6773c8683b503cca73ea29126dc1d5787284
• dbd46a9515a1fba42e02eac95c85bba9f699de07d2c5cb04a42d71ac3a86dec9
• 43cd38a962aa63091260f2648304b22e01aea8ea79c23ca16f99d17133f1ba20

SHA-1

• f4698d0790940fd3cd613502baac752b0772df20
• 58bde687a2af97bcc827f4b8ceb724fffabe5e95
• 0e21a0a54aedf5f4a4693071bd9b7f66c4234621
• eeee9c6fbd737d0e536d18b9f07e3db4be81cd51
• aca84353507f5c4f388351c6e07da49f2b3f00c5
• 1912badf58cac78d9094a4decff538278edf885b
• ae898df247d09042fa8cd41f58a78fecc101fb96
• 8dd150b6174b11d2fd09bda7958320ab02a2fb61
• f463a0aa3cc5f961ba780125d3f2f2c9460a1b3c

URL

• http[:]//92[.]255[.]85[.]83[:]7905/push
• http[:]//92[.]255[.]85[.]83[:]9315/en_US/all[.]js
• http[:]//92[.]255[.]85[.]86/owa/
• http[:]//92[.]255[.]85[.]90[:]81/owa/
• http[:]//92[.]255[.]85[.]90[:]82/owa/
• http[:]//92[.]255[.]85[.]92[:]8898/dot[.]gif
• http[:]//92[.]255[.]85[.]93[:]18092/match
• http[:]//92[.]255[.]85[.]93[:]12031/j[.]ad
• http[:]//92[.]255[.]85[.]94[:]83/ga[.]js
• http[:]//92[.]255[.]85[.]93[:]18092/jRQO
• http[:]//92[.]255[.]85[.]93[:]12031/CbCt

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Implement strong passwords. Enable two-factor authentication.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• WAF -Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely.