Cobalt Strike: MSSQL server and thus JTL-Wawi database at risk

It came as it had to, the Microsoft SQL Server is currently being targeted by 3 different groups. First, the attackers perform a scan on an existing MSSQL server and then a brute force attack to take it over

After the attackers crack the login to the MSSQL server, they are able to execute programs and Powershell scripts through various vulnerabilities such as the extensive capabilities of the xp_cmdshell command.

The attackers then install Lemon Duck, KingMiner, or Vollgar to mine cryptocurrencies on the systems

Additionally, the attackers install Cobalt Strike software well-hidden – from security products like virus scanners. Cobalt Strike allows the attackers to gain extensive access to the system even later and to reload additional programs.

This shows once again that services that do not actually have to be publicly available (such as a web server for a homepage) should not be publicly available either. This is especially true for the JTL database server and remote desktop services.

A detailed analysis on this topic can be found at the security researchers of AhnLab (external link).

I will gladly help you to secure your Windows server and your MSSQL server. You can reach me via my contact form.