Threat actors hunt the internet to target unpatched Microsoft SQL servers

February 28, 2022
Threat Actors Internet Unpatched Microsoft SQL Servers Vulnerability Flaw Exploit

Researchers discovered a malicious threat campaign targeting unpatched Microsoft SQL servers on the web. The threat actors distribute Cobalt Strike Beacons on their potential hosts that still use unpatched SQL servers, and eye incompetently managed public-facing Microsoft SQL servers to be utilised for further widespread infection across cyberspace.

Moreover, the intrusions involve scanning port 1433 to review for flawed MS SQL servers to initiate a brute force attack or dictionary campaign against the system admin account to access it.

The threat actors’ next step includes spawning a Windows command shell utilising the Microsoft SQL process coded as sqlservr[.]exe to download the next-phase payload. The following payload contains an encoded Cobalt Strike binary deployed on the targeted system.

If the threat actors gain access to the admin account and log in to the server, they will drop and deploy coin miners such as Vollgar, Lemon Duck, and KingMiner.


The threat actors carefully planned out their attack against the unpatched MS SQL servers since they already have the technique to avoid detection.


According to the analysis, MS SQL attackers utilise a Cobalt Strike Beacon to establish persistence on their target. Moreover, the Cobalt Strike allows the threat actors to have lateral movement on the targeted system while bypassing security software.

When the attack is final, the malware decodes the Cobalt Strike executable. The decoding will then be injected into the genuine MS Build Engine process.

Threat actors achieved the evasion through loading a Windows library for WWan Media Manager tracked by researchers as wwanmm[.]dll. In addition, the threat actors will write and execute the beacon inside the memory area of the DLL.

Lastly, the beacon that collects the threat actor’s command and carries out the malicious act does not reside in the compromised memory area and instead operates in a standard module. By doing this technique, the threat actors can avoid the memory-based detection mechanism inside their targeted system.

The latest attacks towards unpatched MS SQL servers show a severe cybersecurity threat, and an unpatched server will always be an attractive spot for numerous threat actors.

About the author

Leave a Reply