Cobalt Strike C&C and Freeworld Ransomware Doing the Rounds on Unsecured MSSQL Instances

A deadly combination, with bad actors currently targeting badly maintained/secured instances of Microsoft SQL Server (MSSQL), of which there are many in the wild.

Freeworld, like most ransomware’s it is designed to encrypt a user’s files to deny them access and asks for payment in order to restore. Files are appended with “.FreeWorldEncryption“. Contact details are left on the victim’s system.

Cobalt Strike is not inherently malicious software; rather, it’s a legitimate and commercially available penetration testing tool that is used by cybersecurity professionals and red teamers to assess the security of computer systems. It provides a range of features for simulating advanced threat actors and conducting security assessments.

One of the key components of Cobalt Strike is the “Beacon” command-and-control (C2) agent. Here’s an overview of what the Beacon C2 agent does:

  1. Command and Control: Beacon allows penetration testers to establish a covert communication channel between their testing machine (the “server”) and a compromised system (the “client”). This communication channel is used to send commands, receive results, and exfiltrate data, simulating the actions of a real attacker.
  2. Persistence: Beacon is designed to maintain persistence on the compromised system, meaning it can survive reboots and maintain access over an extended period. This is crucial for simulating long-term attacker presence.
  3. Stealth: Beacon is designed to be stealthy, making it difficult to detect. It can use various techniques to blend in with legitimate network traffic and evade detection by security tools.
  4. Post-Exploitation: Beacon is used for post-exploitation activities, allowing testers to explore the compromised system, escalate privileges, and gather information about the target environment.
  5. Data Exfiltration: It can be used to exfiltrate sensitive data from the compromised system to the attacker’s server for analysis, mimicking a real threat actor’s actions.

Target machines are typically brute-forced (so get some hammering protection in there!). Once access is gained it’s open season for the database and the above installed on the system. Further comprimises are possible, e.g. anydesk installation or ngrok.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.