Cobalt Strike is a computer security tool used to simulate real attacks within a network. This tool has great characteristics of malleability and robustness that allow lateral scaling within a network and use malware loads.
As mentioned Cobalt Strike is a tool used under license to audit internal networks, however, in recent years cybercriminals have managed to crack full versions of this tool, having access to all its features and tools, which makes it a very useful tool. dangerous. Therefore, it is currently one of the favorite tools of cybercriminals and one of its main victims is Microsoft SQL Server servers exposed to the Internet that do not have recent security patches or are poorly configured.
The intrusions are made by scanning port 1433 to identify exposed MS SQL servers, if so, they are later compromised with dictionary and brute force attacks, to gain administrator access to the server.
Once access is obtained, they proceed to compromise the internal network using Cobalt Strike, this also includes more MS SQL servers, even if they are not exposed to the internet.
2 weeks ago Microsoft released 51 security updates for its products including MS SQL servers, so it is recommended to patch the servers as soon as possible, even if they are not exposed to the internet.
Another recommendation is to have a secure password policy, mainly in administrator accounts, to avoid having default passwords or weak passwords in the face of a dictionary brute force attack, and to change passwords periodically, to avoid falling victim to this new trend. attack on MSSQL servers.