Blogs

Analyzing MSSQL brute-force post- exploitation: AutoIt Obfuscation and Injected Remcos

By Tony posted 13 days ago

  

Outside of the various forms of social engineering such as phishing, the most common observed access vector for adversaries is the targeting of external facing services/applications (T1190 – Exploit Public-Facing Application). In the last 12 months there has been a significant focus from threat actors on targeting zero- day vulnerabilities present in external facing services like Microsoft Exchange1 2, Confluence3, and services employing vulnerable log4j libraries4. Despite intrusions related to exploitation of these new zero-day vulnerabilities dominating the spotlight recently the FortiGuard Responder Managed Detection and Response (MDR) team continues to observe attacks where the initial attack vector is a brute-force attack on an external facing service, most commonly SQL database services such as postgres and MSSQL. Attacks on these services are linked
to multiple different actors, majority of which are financially motivated groups (criminals) looking to deploy ransomware or cryptominers.

This article breaks down how the FortiGuard Responder MDR team investigated one of these attacks. The article also takes a deep dive into some sophisticated adversary TTPs employed within the intrusion to evade detection. MITRE ATT&CK mappings and observables are provided at the end of the article alongside IOCs and relevant Threat Hunting queries.

To read the full article please click the link here.  


Permalink